mcp-server

Critical SQL Injection Risk: The `query_data` tool (used in `tools/sql.py` and potentially injected into `data_apps`) directly passes user-provided SQL queries to the backend without explicit sanitization by the tool itself. If AI agents construct these queries from untrusted user input, it creates a severe SQL injection vulnerability. High Arbitrary Code Execution Risk: The `modify_data_app` tool accepts `source_code` as input, which is then executed as a Streamlit application. An AI agent, if compromised or given malicious instructions, could inject arbitrary Python code into these data apps, potentially leading to unauthorized actions within the sandboxed environment. Medium OAuth Redirect URI Whitelist Concerns: The OAuth provider validates `https` redirect URIs against a predefined whitelist but allows arbitrary custom URI schemes. While custom schemes typically require client-side registration, this approach could be exploited if a local system has a vulnerable handler for a custom scheme or if the `https` whitelist is incomplete. Low Risk from Debugging Flag: The `KEBOOLA_MCP_SERVER_OAUTH_LOG_ALL` environment variable, if enabled in a production environment, could expose sensitive OAuth token details in server logs.