Summary
Every AI tool definition has .skip_permission(true). While most tools are read-only, run_query passes AI-generated SQL directly to the database executor with zero validation — the AI can execute DROP TABLE, DELETE, or any destructive statement.
Location
src-tauri/crates/mas-ai/src/tools.rs
- Lines 14, 24, 35, 46, 56, 66, 76:
.skip_permission(true) on every tool
- Line 186:
handle_run_select_query — validates SQL must start with SELECT/SHOW/DESCRIBE/EXPLAIN (safe)
- Line 218:
handle_run_query — passes AI-generated SQL directly, no validation at all
Impact
- In Agent/Plan mode, the AI can execute arbitrary destructive SQL on the connected database
- Even with a confirmation dialog, the
skip_permission(true) means tools auto-approve
- A single bad AI suggestion could drop tables or delete data
Fix
- Remove
.skip_permission(true) from the run_query tool to require user confirmation
- For the
run_query tool, consider:
- Whitelisting safe statement types (similar to
run_select_query)
- Requiring explicit user confirmation for DDL/DML via a permission dialog
- Giving the user visibility into what SQL will be executed BEFORE approving
Summary
Every AI tool definition has
.skip_permission(true). While most tools are read-only,run_querypasses AI-generated SQL directly to the database executor with zero validation — the AI can executeDROP TABLE,DELETE, or any destructive statement.Location
src-tauri/crates/mas-ai/src/tools.rs.skip_permission(true)on every toolhandle_run_select_query— validates SQL must start with SELECT/SHOW/DESCRIBE/EXPLAIN (safe)handle_run_query— passes AI-generated SQL directly, no validation at allImpact
skip_permission(true)means tools auto-approveFix
.skip_permission(true)from therun_querytool to require user confirmationrun_querytool, consider:run_select_query)