fix(cli): reject multi-statement sql mcp queries

[tmchow]

Summary

Generated MCP sql tools now reject SELECT-prefix multi-statement payloads before the read-only keyword allowlist runs. A query like SELECT 1; ATTACH DATABASE ... no longer reaches SQLite, while legitimate single-statement reads still allow trailing terminators, trailing comments, and semicolons inside quoted SQL tokens.

This keeps the readOnlyHint contract true for printed CLIs that expose SQL over the local SQLite store, including the modernc.org/sqlite cases where ATTACH DATABASE and VACUUM INTO can write outside the primary read-only handle.

Closes #2799

Verification

• go test ./internal/generator -run '^TestGenerateMCPSQLToolUsesReadOnlyStore$'
• scripts/verify-generator-output.sh generate-golden-api generate-mcp-api
• go test ./...
• scripts/golden.sh verify

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 require-ready-label-and-ci

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-threads-unresolved = 0
• check-success = build-and-test
• check-success = generated-test
• check-success = go-lint
• check-success = golden
• check-success = pr-title
• check-success = test
• any of:
  • label = ready-to-merge
  • all of:
    • head = release-please--branches--main
    • title ~= ^chore\(main\): release
• any of:
  • -files ~= ^(\.github/workflows/|\.github/scripts/|scripts/|\.github/CODEOWNERS$)
  • author = tmchow
  • approved-reviews-by = mvanhorn
  • approved-reviews-by = tmchow
  • author = mvanhorn
• any of:
  • check-success = Greptile Review
  • label = queued
  • check-neutral = Greptile Review
  • check-skipped = Greptile Review
  • head ~= ^mergify/merge-queue/
  • all of:
    • head = release-please--branches--main
    • title ~= ^chore\(main\): release

[greptile-apps]

Greptile Summary

This PR closes a second-order bypass in the MCP SQL read-only gate: a SELECT-prefix query like SELECT 1; ATTACH DATABASE ... previously passed the allowlist check because the leading keyword was valid, even though the semicolon-separated tail contained a mutating statement. The fix adds hasTrailingSQLStatement, a byte-level scanner that respects all five SQLite quoting contexts (', ", `, [...], /* */, --), and calls it on the stripped query before the SELECT/WITH prefix check.

• hasTrailingSQLStatement is added to the template and propagated to all four golden output files; the generator test now also asserts the generated package compiles via requireGeneratedCompiles.
• New test vectors cover the exact attack payloads (multi-statement with ATTACH DATABASE, DROP TABLE, VACUUM INTO, and CTE form), as well as legitimate queries where semicolons appear inside string literals or identifiers.

Confidence Score: 5/5

The change is safe to merge — it tightens the existing security gate without altering any passing behavior, and all four generated golden outputs are updated consistently.

The new hasTrailingSQLStatement byte scanner is logically sound: it correctly tracks all five SQLite quoting contexts, the early-return on the first terminator-with-no-trailing-SQL is safe because stripLeadingSQLNoise (called as the trailing check) itself strips nested semicolons and noise, and the generator test now enforces both symbol presence and successful compilation of the emitted code.

No files require special attention.

Important Files Changed

Filename	Overview
internal/generator/templates/mcp_tools.go.tmpl	Adds hasTrailingSQLStatement with correct quote/comment-aware byte scanning; validateReadOnlyQuery now calls it before the allowlist check. Logic and early-return semantics are sound.
internal/generator/templates/mcp_tools_test.go.tmpl	Adds TestHasTrailingSQLStatement with 16 cases covering all quoting types and comment forms, plus new rejection vectors in TestValidateReadOnlyQuery_RejectsBypassVectors.
internal/generator/generator_test.go	Asserts hasTrailingSQLStatement and TestHasTrailingSQLStatement symbols are present in generated output, and adds requireGeneratedCompiles to catch template regressions at compile time.
testdata/golden/expected/generate-golden-api/printing-press-golden/internal/mcp/tools.go	Golden file updated consistently with the template change; diff is identical to the other three golden outputs.
testdata/golden/expected/generate-golden-api-rich-auth/printing-press-rich-auth/internal/mcp/tools.go	Golden file updated consistently with the template change.
testdata/golden/expected/generate-mcp-api/mcp-cloudflare/internal/mcp/tools.go	Golden file updated consistently with the template change.
testdata/golden/expected/generate-tier-routing-api/tier-routing-golden/internal/mcp/tools.go	Golden file updated consistently with the template change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[handleSQL receives query] --> B[validateReadOnlyQuery]
    B --> C[stripLeadingSQLNoise\nremove leading whitespace,\ncomments, semicolons]
    C --> D{hasTrailingSQLStatement?}
    D -- true --> E[error: only a single\nSELECT or WITH statement\nis allowed]
    D -- false --> F{HasPrefix SELECT\nor WITH?}
    F -- false --> G[error: only SELECT\nqueries are allowed]
    F -- true --> H[OpenReadOnly DB\nmode=ro]
    H --> I[Execute query]

Loading

_{Reviews (2): Last reviewed commit: "fix(cli): clarify sql mcp validation mes..." | Re-trigger Greptile}

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-06-07 20:10 UTC · Rule: default
• ✅ Checks passed · on draft merge queue: embarking main (2a98ea1), #2814, #2808 and #2811 together #2840
• ✅ Merged — 2026-06-07 20:37 UTC · at d5013f1e55b63bf07c01a6e2ebf9b8de4a29b609 · squash

This pull request spent 26 minutes 53 seconds in the queue, including 22 minutes 13 seconds running CI.

Required conditions to merge

• check-success = build-and-test
• check-success = generated-test
• check-success = go-lint
• check-success = golden
• check-success = test
• all of [🛡 Merge Protections rule require-ready-label-and-ci]:
  • #changes-requested-reviews-by = 0
    • fix(cli): reject multi-statement sql mcp queries #2811
  • #review-threads-unresolved = 0
    • fix(cli): reject multi-statement sql mcp queries #2811
  • check-success = build-and-test
  • check-success = generated-test
  • check-success = go-lint
  • check-success = golden
  • check-success = pr-title
  • check-success = test
  • any of:
    • label = ready-to-merge
      • fix(cli): reject multi-statement sql mcp queries #2811
    • all of:
      • head = release-please--branches--main
        • fix(cli): reject multi-statement sql mcp queries #2811
      • title ~= ^chore\(main\): release
        • fix(cli): reject multi-statement sql mcp queries #2811
  • any of:
    • -files ~= ^(\.github/workflows/|\.github/scripts/|scripts/|\.github/CODEOWNERS$)
    • author = tmchow
      • fix(cli): reject multi-statement sql mcp queries #2811
    • approved-reviews-by = mvanhorn
      • fix(cli): reject multi-statement sql mcp queries #2811
    • approved-reviews-by = tmchow
      • fix(cli): reject multi-statement sql mcp queries #2811
    • author = mvanhorn
      • fix(cli): reject multi-statement sql mcp queries #2811
  • any of:
    • label = queued
      • fix(cli): reject multi-statement sql mcp queries #2811
    • check-neutral = Greptile Review
    • check-skipped = Greptile Review
    • check-success = Greptile Review
    • head ~= ^mergify/merge-queue/
      • fix(cli): reject multi-statement sql mcp queries #2811
    • all of:
      • head = release-please--branches--main
        • fix(cli): reject multi-statement sql mcp queries #2811
      • title ~= ^chore\(main\): release
        • fix(cli): reject multi-statement sql mcp queries #2811
• any of [🛡 GitHub branch protection]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections