Addres PR review feedback

Author: data-douser

client/src/lib/mcp-test-suite.js

@@ -148,6 +148,7 @@ export class MCPTestSuite {
       const result = await this.client.getPrompt({
         name: "explain_codeql_query",
         arguments: {
+          databasePath: "nonexistent/path/to/database",
           queryPath: "nonexistent/path/to/query.ql",
           language: "javascript"
         }

extensions/vscode/test/suite/mcp-prompt-e2e.integration.test.ts

@@ -126,7 +126,6 @@ suite('MCP Prompt Error Handling Integration Tests', () => {
     const result = await client.getPrompt({
       name: 'explain_codeql_query',
       arguments: {
-        databasePath: 'nonexistent/database',
         queryPath: 'nonexistent/path/to/query.ql',
         language: 'javascript',
       },
@@ -154,7 +153,6 @@ suite('MCP Prompt Error Handling Integration Tests', () => {
     const result = await client.getPrompt({
       name: 'explain_codeql_query',
       arguments: {
-        databasePath: existingFile,
         queryPath: existingFile,
         language: 'javascript',
       },
@@ -185,7 +183,6 @@ suite('MCP Prompt Error Handling Integration Tests', () => {
       const result = await client.getPrompt({
         name: 'explain_codeql_query',
         arguments: {
-          databasePath: '/some/db',
           queryPath: '/some/query.ql',
           language: 'rust',
         },
@@ -247,7 +244,7 @@ suite('MCP Prompt Error Handling Integration Tests', () => {
 
     const text = getFirstMessageText(result);
     assert.ok(
-      text.includes('path traversal') || text.includes('Invalid file path'),
+      text.includes('resolves outside the workspace root') || text.includes('does not exist'),
       `Response should warn about path traversal. Got:\n${text.slice(0, 500)}`,
     );
 

server/dist/codeql-development-mcp-server.js

@@ -64476,12 +64476,6 @@ function resolvePromptFilePath(filePath, workspaceRoot) {
   }
   const effectiveRoot = workspaceRoot ?? getUserWorkspaceDir();
   const normalizedPath = normalize(filePath);
-  if (normalizedPath.includes("..")) {
-    return {
-      resolvedPath: filePath,
-      warning: `\u26A0 **Invalid file path** \u2014 path traversal detected in \`${filePath}\`. Please provide a path within your workspace.`
-    };
-  }
   const absolutePath = isAbsolute7(normalizedPath) ? normalizedPath : resolve13(effectiveRoot, normalizedPath);
   const rel = relative(effectiveRoot, absolutePath);
   if (rel.startsWith("..") || isAbsolute7(rel)) {
@@ -64532,7 +64526,7 @@ var describeFalsePositivesSchema = external_exports.object({
   queryPath: external_exports.string().describe("Path to the CodeQL query file")
 });
 var explainCodeqlQuerySchema = external_exports.object({
-  databasePath: external_exports.string().describe("Path to a CodeQL database for profiling"),
+  databasePath: external_exports.string().optional().describe("Path to a CodeQL database for profiling"),
   language: external_exports.enum(SUPPORTED_LANGUAGES).describe("Programming language of the query"),
   queryPath: external_exports.string().describe("Path to the CodeQL query file (.ql or .qlref)")
 });
@@ -64951,16 +64945,21 @@ ${content}`
         const qpResult = resolvePromptFilePath(queryPath);
         const resolvedQueryPath = qpResult.resolvedPath;
         if (qpResult.warning) warnings.push(qpResult.warning);
-        const dbResult = resolvePromptFilePath(databasePath);
-        const resolvedDatabasePath = dbResult.resolvedPath;
-        if (dbResult.warning) warnings.push(dbResult.warning);
+        let resolvedDatabasePath = databasePath;
+        if (databasePath) {
+          const dbResult = resolvePromptFilePath(databasePath);
+          resolvedDatabasePath = dbResult.resolvedPath;
+          if (dbResult.warning) warnings.push(dbResult.warning);
+        }
         let contextSection = "## Query to Explain\n\n";
         contextSection += `- **Query Path**: ${resolvedQueryPath}
 `;
         contextSection += `- **Language**: ${language}
 `;
-        contextSection += `- **Database Path**: ${resolvedDatabasePath}
+        if (resolvedDatabasePath) {
+          contextSection += `- **Database Path**: ${resolvedDatabasePath}
 `;
+        }
         contextSection += "\n";
         const warningSection = warnings.length > 0 ? warnings.join("\n") + "\n\n" : "";
         return {

server/dist/codeql-development-mcp-server.js.map

@@ -70,21 +70,14 @@ export function resolvePromptFilePath(
   // Normalise first to collapse any . or .. segments.
   const normalizedPath = normalize(filePath);
 
-  // Detect path traversal attempts.
-  if (normalizedPath.includes('..')) {
-    return {
-      resolvedPath: filePath,
-      warning: `⚠ **Invalid file path** — path traversal detected in \`${filePath}\`. Please provide a path within your workspace.`,
-    };
-  }
-
   // Resolve to absolute path.
   const absolutePath = isAbsolute(normalizedPath)
     ? normalizedPath
     : resolve(effectiveRoot, normalizedPath);
 
-  // If a workspace root was given (or inferred), verify the resolved path
-  // stays within it.
+  // Verify the resolved path stays within the workspace root.
+  // This catches path traversal (e.g. "../../etc/passwd") after full
+  // resolution rather than relying on a fragile substring check.
   const rel = relative(effectiveRoot, absolutePath);
   if (rel.startsWith('..') || isAbsolute(rel)) {
     return {
@@ -253,12 +246,13 @@ export const describeFalsePositivesSchema = z.object({
 /**
  * Schema for explain_codeql_query prompt parameters.
  *
- * All three parameters are **required** – the prompt needs a query, its
- * language, and a database to produce meaningful profiling output.
+ * - `queryPath` and `language` are **required**.
+ * - `databasePath` is optional – a database may also be derived from tests.
  */
 export const explainCodeqlQuerySchema = z.object({
   databasePath: z
     .string()
+    .optional()
     .describe('Path to a CodeQL database for profiling'),
   language: z
     .enum(SUPPORTED_LANGUAGES)
@@ -881,14 +875,19 @@ export function registerWorkflowPrompts(server: McpServer): void {
         const resolvedQueryPath = qpResult.resolvedPath;
         if (qpResult.warning) warnings.push(qpResult.warning);
 
-        const dbResult = resolvePromptFilePath(databasePath);
-        const resolvedDatabasePath = dbResult.resolvedPath;
-        if (dbResult.warning) warnings.push(dbResult.warning);
+        let resolvedDatabasePath = databasePath;
+        if (databasePath) {
+          const dbResult = resolvePromptFilePath(databasePath);
+          resolvedDatabasePath = dbResult.resolvedPath;
+          if (dbResult.warning) warnings.push(dbResult.warning);
+        }
 
         let contextSection = '## Query to Explain\n\n';
         contextSection += `- **Query Path**: ${resolvedQueryPath}\n`;
         contextSection += `- **Language**: ${language}\n`;
-        contextSection += `- **Database Path**: ${resolvedDatabasePath}\n`;
+        if (resolvedDatabasePath) {
+          contextSection += `- **Database Path**: ${resolvedDatabasePath}\n`;
+        }
         contextSection += '\n';
 
         const warningSection = warnings.length > 0

server/src/prompts/workflow-prompts.ts

@@ -12,7 +12,7 @@
  * 7. All SUPPORTED_LANGUAGES are accepted by every schema with a language field.
  */
 
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import {
   buildToolsQueryContext,
@@ -526,45 +526,56 @@ describe('Workflow Prompts', () => {
 
     it('should accept required queryPath and language', () => {
       const result = explainCodeqlQuerySchema.safeParse({
-        databasePath: '/db',
         language: 'javascript',
         queryPath: '/q.ql',
       });
       expect(result.success).toBe(true);
     });
 
-    it('should reject missing databasePath', () => {
+    it('should accept optional databasePath', () => {
       const result = explainCodeqlQuerySchema.safeParse({
+        databasePath: '/db',
         language: 'python',
         queryPath: '/q.ql',
       });
-      expect(result.success).toBe(false);
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.databasePath).toBe('/db');
+      }
+    });
+
+    it('should leave databasePath as undefined when omitted', () => {
+      const result = explainCodeqlQuerySchema.safeParse({
+        language: 'go',
+        queryPath: '/q.ql',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.databasePath).toBeUndefined();
+      }
     });
 
     it('should reject missing queryPath', () => {
       const result = explainCodeqlQuerySchema.safeParse({
-        databasePath: '/db',
         language: 'java',
       });
       expect(result.success).toBe(false);
     });
 
     it('should reject missing language', () => {
       const result = explainCodeqlQuerySchema.safeParse({
-        databasePath: '/db',
         queryPath: '/q.ql',
       });
       expect(result.success).toBe(false);
     });
 
-    it('should reject empty object (all three fields required)', () => {
+    it('should reject empty object (both required fields missing)', () => {
       const result = explainCodeqlQuerySchema.safeParse({});
       expect(result.success).toBe(false);
     });
 
     it.each([...SUPPORTED_LANGUAGES])('should accept language "%s"', (lang) => {
       const result = explainCodeqlQuerySchema.safeParse({
-        databasePath: '/db',
         language: lang,
         queryPath: '/q.ql',
       });
@@ -820,8 +831,8 @@ describe('Workflow Prompts', () => {
       {
         name: 'explainCodeqlQuerySchema',
         schema: explainCodeqlQuerySchema,
-        required: ['databasePath', 'language', 'queryPath'],
-        optional: [],
+        required: ['language', 'queryPath'],
+        optional: ['databasePath'],
       },
       {
         name: 'documentCodeqlQuerySchema',
@@ -1054,7 +1065,7 @@ describe('Workflow Prompts', () => {
       const minimalArgs: Record<string, Record<string, string>> = {
         check_for_duplicated_code: { queryPath: '/q.ql' },
         document_codeql_query: { language: 'java', queryPath: '/q.ql' },
-        explain_codeql_query: { databasePath: '/db', language: 'java', queryPath: '/q.ql' },
+        explain_codeql_query: { language: 'java', queryPath: '/q.ql' },
         find_overlapping_queries: { language: 'cpp', queryDescription: 'detect placement-new on non-trivial types' },
         ql_lsp_iterative_development: { language: 'ruby', queryPath: '/q.ql' },
         ql_tdd_advanced: { language: 'javascript' },
@@ -1266,7 +1277,7 @@ describe('Workflow Prompts', () => {
       expect(result.messages[0].content.text).toContain('Invalid input');
     });
 
-    it('explain_codeql_query handler should include all required params', async () => {
+    it('explain_codeql_query handler should include all params when provided', async () => {
       const handler = getRegisteredHandler(mockServer, 'explain_codeql_query');
       const result: PromptResult = await handler({
         databasePath: '/db/path',
@@ -1279,14 +1290,14 @@ describe('Workflow Prompts', () => {
       expect(text).toContain('**Database Path**: /db/path');
     });
 
-    it('explain_codeql_query handler should return inline error when databasePath missing', async () => {
+    it('explain_codeql_query handler should omit Database Path when not provided', async () => {
       const handler = getRegisteredHandler(mockServer, 'explain_codeql_query');
       const result: PromptResult = await handler({
         language: 'java',
         queryPath: '/q.ql',
       });
       const text = result.messages[0].content.text;
-      expect(text).toContain('Invalid input');
+      expect(text).not.toContain('**Database Path**');
     });
 
     it('document_codeql_query handler should include queryPath and language', async () => {
@@ -1720,7 +1731,7 @@ describe('Workflow Prompts', () => {
     it('should return a warning for path traversal attempts', () => {
       const result = resolvePromptFilePath('../../../etc/passwd', testDir);
       expect(result.warning).toBeDefined();
-      expect(result.warning).toContain('path traversal');
+      expect(result.warning).toContain('resolves outside the workspace root');
     });
 
     it('should return the original path as resolvedPath even for invalid paths', () => {