Skip to content

MySQL security enhancement#2108

Merged
vcolin7 merged 2 commits into
release/azure/1.xfrom
mysql_security_enhancement_1.x
Mar 18, 2026
Merged

MySQL security enhancement#2108
vcolin7 merged 2 commits into
release/azure/1.xfrom
mysql_security_enhancement_1.x

Conversation

@xiangyan99
Copy link
Copy Markdown
Member

@xiangyan99 xiangyan99 commented Mar 18, 2026

What does this PR do?

[Provide a clear, concise description of the changes]

[Any additional context, screenshots, or information that helps reviewers]

  1. Disallow comments
  2. Disallow keywords: UNION/INTERSECT/EXCEPT

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
    • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

Copilot AI review requested due to automatic review settings March 18, 2026 22:58
@xiangyan99 xiangyan99 requested review from a team, mattkohnms and ramnov as code owners March 18, 2026 22:58
@xiangyan99 xiangyan99 requested review from alzimmermsft, conniey, g2vinay, jongio, msalaman, saikoumudi and sandeep-sen and removed request for a team March 18, 2026 22:58
@xiangyan99 xiangyan99 mentioned this pull request Mar 18, 2026
Closed
21 tasks
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enhances the MySQL query safety validator to reduce SQL-injection bypass vectors (notably comment-based obfuscation and set-operator exfiltration patterns) in the Azure MCP MySQL tool.

Changes:

  • Block SQL comments (--, #, /* ... */, and MySQL version comments /*!...*/) rather than stripping them.
  • Add set-operator keywords (UNION/INTERSECT/EXCEPT) to the MySQL dangerous keyword blocklist and switch keyword/function detection to regex-based word-boundary matching.
  • Expand unit tests to cover string-literal edge cases and add explicit tests for comment and set-operation rejection; update Azure MCP Server changelog entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
tools/Azure.Mcp.Tools.MySql/src/Services/MySqlService.cs Updates query validation logic to reject comments and detect blocked keywords/functions via regex patterns.
tools/Azure.Mcp.Tools.MySql/tests/Azure.Mcp.Tools.MySql.UnitTests/Services/MySqlServiceQueryValidationTests.cs Adds/adjusts tests for comment rejection, set operations, and reduced false positives in string literals.
servers/Azure.Mcp.Server/CHANGELOG.md Documents the MySQL query validation security fix in the Unreleased changelog.

Comment thread tools/Azure.Mcp.Tools.MySql/src/Services/MySqlService.cs
Comment thread tools/Azure.Mcp.Tools.MySql/src/Services/MySqlService.cs
Comment thread tools/Azure.Mcp.Tools.MySql/src/Services/MySqlService.cs
vcolin7
vcolin7 reviewed Mar 18, 2026
View reviewed changes
Comment thread servers/Azure.Mcp.Server/CHANGELOG.md Outdated
@xiangyan99 @vcolin7
Update servers/Azure.Mcp.Server/CHANGELOG.md
0b5f572 
Co-authored-by: vcolin7 <victor.y.asi@gmail.com>
@github-project-automation github-project-automation Bot moved this from Untriaged to In Progress in Azure MCP Server Mar 18, 2026
@vcolin7 vcolin7 merged commit 4997491 into release/azure/1.x Mar 18, 2026
13 checks passed
@vcolin7 vcolin7 deleted the mysql_security_enhancement_1.x branch March 18, 2026 23:42
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Azure MCP Server Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vcolin7 vcolin7 vcolin7 approved these changes

@ramnov ramnov Awaiting requested review from ramnov ramnov is a code owner

@mattkohnms mattkohnms Awaiting requested review from mattkohnms mattkohnms is a code owner

@jongio jongio Awaiting requested review from jongio jongio is a code owner automatically assigned from microsoft/azure-mcp

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from microsoft/azure-mcp

@conniey conniey Awaiting requested review from conniey conniey is a code owner automatically assigned from microsoft/azure-mcp

@saikoumudi saikoumudi Awaiting requested review from saikoumudi saikoumudi is a code owner automatically assigned from microsoft/azure-mcp

@sandeep-sen sandeep-sen Awaiting requested review from sandeep-sen sandeep-sen is a code owner automatically assigned from microsoft/azure-mcp

@msalaman msalaman Awaiting requested review from msalaman msalaman is a code owner automatically assigned from microsoft/azure-mcp

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner automatically assigned from microsoft/azure-mcp

Assignees

No one assigned

Labels

tools-MySQL

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xiangyan99 @vcolin7