Skip to content

Security: LLM-generated SQL is executed without safety controls#193

Open
tomaioo wants to merge 1 commit into
Arindam200:mainfrom
tomaioo:contribai/fix/security/llm-generated-sql-is-executed-without-sa
Open

Security: LLM-generated SQL is executed without safety controls#193
tomaioo wants to merge 1 commit into
Arindam200:mainfrom
tomaioo:contribai/fix/security/llm-generated-sql-is-executed-without-sa

Conversation

@tomaioo

@tomaioo tomaioo commented Apr 10, 2026

Copy link
Copy Markdown

Summary

Security: LLM-generated SQL is executed without safety controls

Problem

Severity: High | File: mcp_ai_agents/telemetry-mcp-okahu/main.py:L34

The /query endpoint generates SQL from natural language (generate_sql) and executes it (execute_query) without validation/sandboxing. Prompt injection or model errors can produce harmful SQL statements.

Solution

Introduce SQL safety gates before execution: parse and enforce read-only statements, block DDL/DML, enforce table/column allowlists, and run with least-privilege DB credentials.

Changes

  • mcp_ai_agents/telemetry-mcp-okahu/main.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

The `/query` endpoint generates SQL from natural language (`generate_sql`) and executes it (`execute_query`) without validation/sandboxing. Prompt injection or model errors can produce harmful SQL statements.

Affected files: main.py

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
raise HTTPException(status_code=400, detail="Generated SQL query is empty")
if "--" in normalized_query or "/*" in normalized_query or "*/" in normalized_query:
raise HTTPException(status_code=400, detail="Generated SQL query contains blocked SQL patterns")
if ";" in normalized_query[:-1]:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Redundant semicolon check

The condition if ";" in normalized_query[:-1] (line 53) is redundant because if the query ends with a semicolon, it gets stripped at line 56. This check will incorrectly reject valid single-statement queries with trailing semicolons. Remove line 53 and let line 55 handle trailing semicolons.

raise HTTPException(status_code=400, detail="Only read-only SELECT queries are allowed")
for keyword in DISALLOWED_SQL_KEYWORDS:
if re.search(rf"\b{keyword}\b", lowered_query):
raise HTTPException(status_code=400, detail=f"Generated SQL query contains blocked keyword: {keyword}")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Regex could be more precise

The keyword check uses \b word boundaries (line 62), which works but might have edge cases. Consider using lookarounds for clearer keyword detection or adding additional checks for common injection patterns like subqueries or stored procedures.

if normalized_query.endswith(";"):
normalized_query = normalized_query[:-1].strip()
lowered_query = normalized_query.lower()
if not re.match(r"^(select|with)\b", lowered_query):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Case-insensitive regex could fail for edge cases

The regex r"^(select|with)\b" (line 58) works with .lower(), which handles case-insensitive matching. However, this pattern might fail for edge cases like queries starting with multiple keywords or with unusual spacing. Consider a more robust pattern or use a SQL parsing library for production use.

@kilo-code-bot

kilo-code-bot Bot commented Apr 10, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
WARNING 1
SUGGESTION 2
Issue Details (click to expand)

WARNING

File Line Issue
mcp_ai_agents/telemetry-mcp-okahu/main.py 53 Redundant semicolon check creates false positives
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
mcp_ai_agents/telemetry-mcp-okahu/main.py 85 Input from generate_sql() is executed without sandboxing the table/column lists. The current validation blocks only keywords but doesn't prevent access to arbitrary tables/columns. Consider using a SQL parser to extract table names and enforce allowlist.
Files Reviewed (1 file)
  • mcp_ai_agents/telemetry-mcp-okahu/main.py - 1 warning, 2 suggestions

Reviewed by glm-4.7-flash-20260119 · 147,200 tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant