Fabric Data Engineering MCP Server

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 2.3.x | :white_check_mark: | | < 2.3 | :x: | ## Security Features This extension implements the following security measures: ### Authentication & Authorization - **Secure Token Storage**: Authentication tokens are stored using VS Code's SecretStorage API, which leverages the operating system's secure keychain - **Token Expiration**: Tokens are automatically invalidated after expiration - **Token Clearing**: Tokens are properly cleared on sign-out ### Input Validation - **SQL Injection Prevention**: All SQL identifiers are sanitized before query construction - **XSS Prevention**: All user-controlled data is HTML-escaped in webviews - **Input Validation**: User inputs are validated for format and content ### Network Security - **HTTPS Only**: All API communications use HTTPS - **Request Timeouts**: All API requests have configurable timeouts (default 30s) - **Rate Limiting**: Built-in rate limiting prevents API abuse - **Error Sanitization**: Sensitive data is stripped from error messages ### Webview Security - **Content Security Policy (CSP)**: All webviews implement strict CSP headers - **Nonce-based Scripts**: Inline scripts use cryptographic nonces - **Message Validation**: Webview messages are validated before processing ### Audit & Logging - **Security Event Logging**: Security-relevant events are logged - **Sensitive Data Redaction**: Tokens and credentials are never logged ## Reporting a Vulnerability If you discover a security vulnerability in this extension, please report it responsibly: 1. **DO NOT** create a public GitHub issue for security vulnerabilities 2. Email security details to: [security@fabrictools.dev] 3. Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if any) ### What to Expect - **Response Time**: We aim to respond within 48 hours - **Status Updates**: Weekly updates on investigation progress - **Resolution**: Critical vulnerabilities are prioritized for immediate patching - **Credit**: Security researchers will be credited (unless anonymity is requested) ## Security Best Practices for Users 1. **Keep Extension Updated**: Always use the latest version 2. **Review Permissions**: Understand what permissions the extension requires 3. **Sign Out**: Sign out when not using the extension 4. **Workspace Access**: Only grant access to workspaces you need 5. **Report Issues**: Report any suspicious behavior immediately ## Security Checklist for Contributors Before submitting a PR, ensure: - [ ] No hardcoded credentials or secrets - [ ] All user inputs are validated - [ ] SQL queries use parameterization or identifier sanitization - [ ] HTML content is properly escaped - [ ] Webviews include CSP headers - [ ] Error messages don't expose sensitive data - [ ] New dependencies are security-audited - [ ] No `eval()` or `Function()` usage - [ ] No `innerHTML` with unsanitized content ## Compliance This extension is designed to comply with: - OWASP Security Guidelines - VS Code Extension Security Best Practices - Microsoft Fabric API Security Requirements