Skip to content

Add validation for Cosmos query command#524

Merged
xiangyan99 merged 24 commits intomainfrom
cosmos_validate_query
Oct 2, 2025
Merged

Add validation for Cosmos query command#524
xiangyan99 merged 24 commits intomainfrom
cosmos_validate_query

Conversation

@xiangyan99
Copy link
Copy Markdown
Member

@xiangyan99 xiangyan99 commented Sep 19, 2025
edited
Loading

What does this PR do?

[Provide a clear, concise description of the changes]

CosmosDB SQL has only SELECT statements based on the grammar. However, stored procs and triggers can be used to modify documents. Here's a reference: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-write-stored-procedures-triggers-udfs?tabs=javascript

based on this, we add validation to block just those patterns.

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

https://github.com/microsoft/mcp-pr/issues/10

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Updated command list in /docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@xiangyan99 xiangyan99 self-assigned this Sep 22, 2025
@xiangyan99 xiangyan99 added the server-Azure.Mcp Azure.Mcp.Server label Sep 22, 2025
@xiangyan99 xiangyan99 marked this pull request as ready for review September 22, 2025 22:21
@xiangyan99 xiangyan99 requested a review from a team as a code owner September 22, 2025 22:21
Copilot AI reviewed Sep 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds validation for Cosmos DB query commands to ensure only safe, read-only SELECT statements can be executed. The validation prevents execution of potentially dangerous SQL operations like INSERT, UPDATE, DELETE, and DDL statements.

Key changes:

  • Implements a comprehensive CosmosQueryValidator class with security-focused query validation
  • Integrates validation into the ItemQueryCommand to validate user-provided queries
  • Adds extensive unit tests covering various query scenarios and edge cases

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
tools/Azure.Mcp.Tools.Cosmos/src/Validation/CosmosQueryValidator.cs New validator class that ensures only safe SELECT queries are allowed
tools/Azure.Mcp.Tools.Cosmos/src/Commands/ItemQueryCommand.cs Integrates query validation for user-provided queries while skipping validation for default queries
tools/Azure.Mcp.Tools.Cosmos/tests/Azure.Mcp.Tools.Cosmos.UnitTests/CosmosQueryValidatorTests.cs Comprehensive test suite covering valid queries, security threats, and edge cases
servers/Azure.Mcp.Server/CHANGELOG.md Documents the addition of query validation feature

Comment thread servers/Azure.Mcp.Server/CHANGELOG.md
Comment thread tools/Azure.Mcp.Tools.Cosmos/src/Validation/CosmosQueryValidator.cs Outdated
Comment thread tools/Azure.Mcp.Tools.Cosmos/src/Validation/CosmosQueryValidator.cs Outdated
@xiangyan99 xiangyan99 mentioned this pull request Sep 23, 2025
Closed
16 tasks
neildsh
neildsh reviewed Sep 24, 2025
View reviewed changes
Comment thread tools/Azure.Mcp.Tools.Cosmos/src/Validation/CosmosQueryValidator.cs
@xiangyan99 xiangyan99 requested a review from neildsh October 1, 2025 17:58
@xiangyan99
Copy link
Copy Markdown
Member Author

xiangyan99 commented Oct 2, 2025

/check-enforcer reset

@scbedd
Copy link
Copy Markdown
Contributor

scbedd commented Oct 2, 2025

/azp run mcp - pullrequest

@scbedd
Copy link
Copy Markdown
Contributor

scbedd commented Oct 2, 2025

/azp run mcp - pullrequest - live

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Oct 2, 2025

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Oct 2, 2025

Azure Pipelines successfully started running 1 pipeline(s).

anuchandy
anuchandy reviewed Oct 2, 2025
View reviewed changes
Comment thread tools/Azure.Mcp.Tools.Cosmos/src/Validation/CosmosQueryValidator.cs
@xiangyan99 xiangyan99 merged commit 92a8757 into main Oct 2, 2025
24 checks passed
@xiangyan99 xiangyan99 deleted the cosmos_validate_query branch October 2, 2025 23:58
@github-project-automation github-project-automation Bot moved this from Untriaged to Done in Azure MCP Server Oct 2, 2025
colbytimm pushed a commit to colbytimm/microsoft-mcp that referenced this pull request Dec 8, 2025
@xiangyan99 @colbytimm
Add validation for Cosmos query command (microsoft#524)
e756ab4 
* Add valition for query command

* update

* update

* update

* update

* update

* update

* update

* Add valition for query command

* update

* update

* update

* update

* update

* updates

* update

* update

* update

* update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anuchandy anuchandy anuchandy approved these changes

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from microsoft/azure-mcp

@conniey conniey Awaiting requested review from conniey conniey is a code owner automatically assigned from microsoft/azure-mcp

@sandeep-sen sandeep-sen Awaiting requested review from sandeep-sen sandeep-sen is a code owner automatically assigned from microsoft/azure-mcp

@JasonYeMSFT JasonYeMSFT Awaiting requested review from JasonYeMSFT JasonYeMSFT is a code owner automatically assigned from microsoft/azure-mcp

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner automatically assigned from microsoft/azure-mcp

@fanyang-mono fanyang-mono Awaiting requested review from fanyang-mono fanyang-mono is a code owner automatically assigned from microsoft/azure-mcp

@neildsh neildsh Awaiting requested review from neildsh

Assignees

@xiangyan99 xiangyan99

Labels

server-Azure.Mcp Azure.Mcp.Server

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@xiangyan99 @scbedd @anuchandy @neildsh