Skip to content

Added query parameterization#2355

Open
xiangyan99 wants to merge 9 commits intomainfrom
query_parameterization
Open

Added query parameterization#2355
xiangyan99 wants to merge 9 commits intomainfrom
query_parameterization

Conversation

@xiangyan99
Copy link
Copy Markdown
Member

@xiangyan99 xiangyan99 commented Apr 7, 2026

What does this PR do?

[Provide a clear, concise description of the changes]

Added query parameterization

[Add additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

Copilot AI review requested due to automatic review settings April 7, 2026 17:26
@xiangyan99 xiangyan99 requested review from a team, kk-src, mattkohnms, wchigit and xfz11 as code owners April 7, 2026 17:26
@github-project-automation github-project-automation bot moved this to Untriaged in Azure MCP Server Apr 7, 2026
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds shared query-safety helpers in Microsoft.Mcp.Core and wires them into multiple tools to reduce injection risk by parameterizing SQL string literals and escaping/sanitizing KQL inputs.

Changes:

  • Introduces SqlQueryParameterizer (SQL string-literal parameterization) and KqlSanitizer (KQL escaping/sanitization) in Microsoft.Mcp.Core.Helpers.
  • Updates MySQL/Postgres/Cosmos query execution paths to bind extracted parameters instead of embedding string literals directly.
  • Updates Kusto/Monitor/Deploy KQL construction/execution to validate and/or escape identifiers and string values; adds unit tests and a changelog entry.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
tools/Azure.Mcp.Tools.Postgres/tests/Azure.Mcp.Tools.Postgres.UnitTests/Services/PostgresServiceParameterizationTests.cs Adds unit tests covering SQL string-literal parameterization behavior (Postgres dialect).
tools/Azure.Mcp.Tools.Postgres/src/Services/PostgresService.cs Applies parameterization before creating/executing NpgsqlCommand.
tools/Azure.Mcp.Tools.MySql/tests/Azure.Mcp.Tools.MySql.UnitTests/Services/MySqlServiceParameterizationTests.cs Adds unit tests covering SQL string-literal parameterization behavior (MySQL dialect).
tools/Azure.Mcp.Tools.MySql/src/Services/MySqlService.cs Applies parameterization before executing MySqlCommand.
tools/Azure.Mcp.Tools.Monitor/tests/Azure.Mcp.Tools.Monitor.UnitTests/MonitorServiceKqlEscapingTests.cs Adds unit tests for KQL identifier escaping helper usage.
tools/Azure.Mcp.Tools.Monitor/src/Services/MonitorService.cs Escapes the table placeholder in predefined KQL queries.
tools/Azure.Mcp.Tools.Kusto/tests/Azure.Mcp.Tools.Kusto.UnitTests/SanitizeKqlStringLiteralsTests.cs Adds unit tests for KQL string literal sanitization.
tools/Azure.Mcp.Tools.Kusto/tests/Azure.Mcp.Tools.Kusto.UnitTests/KqlQueryValidatorTests.cs Adds unit tests for KQL query safety validation rules.
tools/Azure.Mcp.Tools.Kusto/src/Validation/KqlQueryValidator.cs Introduces KQL query validation to block comments, management commands, stacked statements, and common tautologies.
tools/Azure.Mcp.Tools.Kusto/src/Services/KustoService.cs Adds KQL validation + string-literal sanitization before query execution; refactors identifier escaping to shared helper.
tools/Azure.Mcp.Tools.Deploy/tests/Azure.Mcp.Tools.Deploy.UnitTests/Services/AzdAppLogRetrieverKqlEscapingTests.cs Adds unit tests for KQL string value escaping used in Deploy log queries.
tools/Azure.Mcp.Tools.Deploy/src/Services/Util/AzdAppLogRetriever.cs Escapes user-provided values interpolated into KQL log queries.
tools/Azure.Mcp.Tools.Deploy/src/AssemblyInfo.cs Updates InternalsVisibleTo list to include Deploy unit tests.
tools/Azure.Mcp.Tools.Cosmos/tests/Azure.Mcp.Tools.Cosmos.UnitTests/CosmosServiceParameterizationTests.cs Adds unit tests covering SQL string-literal parameterization behavior for Cosmos SQL queries.
tools/Azure.Mcp.Tools.Cosmos/src/Services/CosmosService.cs Applies parameterization and binds parameters via QueryDefinition.WithParameter.
servers/Azure.Mcp.Server/changelog-entries/1775582739966.yaml Adds a changelog entry describing the new parameterization/sanitization behavior.
core/Microsoft.Mcp.Core/src/Helpers/SqlQueryParameterizer.cs Adds a shared SQL single-quoted literal parser/parameterizer with dialect support.
core/Microsoft.Mcp.Core/src/Helpers/KqlSanitizer.cs Adds shared helpers for escaping KQL identifiers/values and sanitizing string literals.

alzimmermsft
alzimmermsft reviewed Apr 7, 2026
View reviewed changes
alzimmermsft
alzimmermsft reviewed Apr 7, 2026
View reviewed changes
vukelich
vukelich reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@vukelich vukelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple early comments. Still more to read.

g2vinay
g2vinay reviewed Apr 7, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure MCP Server Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@conniey conniey conniey left review comments

Copilot code review Copilot Copilot left review comments

@g2vinay g2vinay g2vinay approved these changes

@KarishmaGhiya KarishmaGhiya KarishmaGhiya approved these changes

@xfz11 xfz11 Awaiting requested review from xfz11 xfz11 is a code owner

@wchigit wchigit Awaiting requested review from wchigit wchigit is a code owner

@kk-src kk-src Awaiting requested review from kk-src kk-src is a code owner

@mattkohnms mattkohnms Awaiting requested review from mattkohnms mattkohnms is a code owner

@ramnov ramnov Awaiting requested review from ramnov ramnov is a code owner

@jongio jongio Awaiting requested review from jongio jongio is a code owner

@srnagar srnagar Awaiting requested review from srnagar srnagar is a code owner

@JacksonWeber JacksonWeber Awaiting requested review from JacksonWeber JacksonWeber is a code owner

@lzchen lzchen Awaiting requested review from lzchen lzchen is a code owner

@rads-1996 rads-1996 Awaiting requested review from rads-1996 rads-1996 is a code owner

@rajkumar-rangaraj rajkumar-rangaraj Awaiting requested review from rajkumar-rangaraj rajkumar-rangaraj is a code owner

@xiang17 xiang17 Awaiting requested review from xiang17 xiang17 is a code owner

@danield137 danield137 Awaiting requested review from danield137 danield137 is a code owner

@prvavill prvavill Awaiting requested review from prvavill prvavill is a code owner

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@JonathanCrd JonathanCrd Awaiting requested review from JonathanCrd JonathanCrd is a code owner automatically assigned from microsoft/azure-mcp

@saikoumudi saikoumudi Awaiting requested review from saikoumudi saikoumudi is a code owner automatically assigned from microsoft/azure-mcp

@sandeep-sen sandeep-sen Awaiting requested review from sandeep-sen sandeep-sen is a code owner automatically assigned from microsoft/azure-mcp

@msalaman msalaman Awaiting requested review from msalaman msalaman is a code owner automatically assigned from microsoft/azure-mcp

@vukelich vukelich Awaiting requested review from vukelich

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft

Assignees

No one assigned

Labels

tools-CosmosDB tools-Deploy tools-Kusto tools-Monitor tools-MySQL tools-Postgres PostgreSQL

Projects

Azure MCP Server
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@xiangyan99 @vukelich @g2vinay @KarishmaGhiya @conniey @alzimmermsft