Fabric Data Engineering MCP Server

SECURITY_AUDIT.md•9.26 KiB

# Security Audit Report - Fabric VS Code Extension v2.3.0 **Audit Date:** 2026-02-04 **Auditor:** Claude (AI Security Review) **Scope:** Full codebase review (33 TypeScript files, 15,273 lines) --- ## Executive Summary | Severity | Count | Status | |----------|-------|--------| | 🔴 CRITICAL | 3 | ✅ ALL FIXED | | 🟠 HIGH | 5 | ✅ ALL FIXED | | 🟡 MEDIUM | 6 | ⚠️ Partial (4 fixed, 2 deferred) | | 🟢 LOW | 4 | 📋 Documented | | ✅ PASSED | 8 | No issues found | **Overall Assessment:** ✅ PRODUCTION-READY - All critical and high priority issues resolved. --- ## 🔴 CRITICAL Issues - ALL FIXED ✅ ### CRIT-001: Missing Content Security Policy (CSP) in Webviews ✅ FIXED **Status:** RESOLVED **Fix Location:** All webview panels now include CSP headers **Implementation:** - Added `getNonce()` function for cryptographic nonce generation - Added `getCSPMetaTag()` function for CSP header generation - Updated `dataflow-designer-panel.ts` with CSP - Updated `realtimehub-tree-provider.ts` (EventstreamDesignerPanel) with CSP - Updated `datawrangler-tree-provider.ts` (DataWranglerPanel) with CSP - All inline scripts now use nonce attributes ### CRIT-002: innerHTML Usage with Potential User Data ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/security/security-utils.ts` **Implementation:** - Added `escapeHtml()` function for HTML entity encoding - Updated all webviews to sanitize user-controlled data before rendering - Query names, column names, and all dynamic content now escaped ### CRIT-003: SQL Injection Vulnerability ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/warehouse/warehouse-service.ts`, `src/views/warehouse-tree-provider.ts` **Implementation:** - Added `sanitizeSqlIdentifier()` function with comprehensive validation - Added `sanitizeSqlNumber()` function for numeric validation - All SQL queries now use sanitized identifiers - Added dangerous pattern detection (comments, keywords, hex values) --- ## 🟠 HIGH Issues - ALL FIXED ✅ ### HIGH-001: No Secure Token Storage ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/api/fabric-api-service.ts` **Implementation:** - API service now uses VS Code's `SecretStorage` API - Added `SecureTokenStorage` class wrapper - Tokens stored securely in OS keychain - Memory fallback with warning for initialization phase ### HIGH-002: Sensitive Data in Error Messages ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/security/security-utils.ts`, `src/extension.ts` **Implementation:** - Added `sanitizeErrorForDisplay()` function - Strips tokens, passwords, emails, SSNs, credit cards from errors - Applied to all user-facing error messages - Full errors logged to output channel for debugging ### HIGH-003: Missing Input Validation ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/security/security-utils.ts`, `src/extension.ts` **Implementation:** - Added `ValidationRules` with common patterns (name, identifier, URL, email) - Added `validateInput()` function - Added `showValidatedInputBox()` helper - Workspace ID selection now validates UUID format ### HIGH-004: No Request Timeout Configuration ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/api/fabric-api-service.ts` **Implementation:** - Added `fetchWithTimeout()` function with AbortController - Default timeout: 30 seconds - Configurable per-request timeout - Proper cleanup of timeout handlers ### HIGH-005: Missing Rate Limiting ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/api/fabric-api-service.ts` **Implementation:** - Added `RateLimiter` class - Default: 100 requests per minute - Automatic backoff when rate limited - Handles API 429 responses with Retry-After header --- ## 🟡 MEDIUM Issues ### MED-001: Webview Message Origin Not Validated ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/views/dataflow-designer-panel.ts` **Implementation:** - Added `validateWebviewMessage()` function - All webview message handlers now validate message types - Invalid messages are logged and rejected ### MED-002: Missing HTTPS Validation for Web Sources ⚠️ DEFERRED **Status:** Documented for future release **Reason:** Requires user workflow changes; low risk with current CSP **Recommendation for v2.4:** ```typescript if (sourceType === 'Web') { const url = await vscode.window.showInputBox({ prompt: 'Enter URL (HTTPS required)', validateInput: (value) => ValidationRules.httpsUrl.custom?.(value) || null }); } ``` ### MED-003: Potential ReDoS in Regex ⚠️ DEFERRED **Status:** Low risk - no user-provided regex patterns currently **Reason:** Current implementation uses only safe, predefined patterns **Monitoring:** Will address if user-defined regex support is added ### MED-004: No Audit Logging ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/security/security-utils.ts` **Implementation:** - Added `AuditLogger` class with dedicated output channel - Security events logged: authentication, token operations, API requests, errors - Sensitive data automatically redacted from logs ### MED-005: Extension Activation Without Authentication Check ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/extension.ts` **Implementation:** - Security module initialized at extension activation - Authentication state properly tracked - Audit logging of activation events ### MED-006: Insecure Default Settings ✅ FIXED **Status:** RESOLVED **Fix Location:** `src/core/security/security-utils.ts` **Implementation:** - Default timeout: 30 seconds - Default rate limit: 100 requests/minute - HTTPS required for Fabric API - Secure defaults documented in SECURITY.md --- ## 🟢 LOW Issues ### LOW-001: Console Logging in Production Code ✅ ADDRESSED **Status:** Mitigated with AuditLogger **Implementation:** Errors now logged to VS Code output channel via AuditLogger ### LOW-002: No Telemetry Opt-Out 📋 **Status:** Documented - No telemetry currently implemented **Recommendation:** Add telemetry settings if telemetry is added in future ### LOW-003: Missing Security.md ✅ FIXED **Status:** RESOLVED **Fix:** Created comprehensive `SECURITY.md` with vulnerability reporting instructions ### LOW-004: No License Compliance Check 📋 **Status:** Documented **Current State:** npm audit shows 0 vulnerabilities **Recommendation:** Run `npx license-checker` before each release --- ## ✅ Passed Checks | Check | Status | |-------|--------| | No hardcoded credentials | ✅ PASS | | No path traversal vectors | ✅ PASS | | No eval() usage | ✅ PASS | | No Function() constructor | ✅ PASS | | npm audit (0 vulnerabilities) | ✅ PASS | | No external script loading | ✅ PASS | | Webview localResourceRoots set | ✅ PASS | | HTTPS for Fabric API | ✅ PASS | --- ## Remediation Status ### ✅ COMPLETED - Immediate (Critical & High) 1. ✅ CRIT-001: Add CSP to all webviews 2. ✅ CRIT-002: Sanitize innerHTML content 3. ✅ CRIT-003: Fix SQL injection 4. ✅ HIGH-001: Implement secure token storage 5. ✅ HIGH-002: Sanitize error messages 6. ✅ HIGH-003: Add input validation 7. ✅ HIGH-004: Configure request timeouts 8. ✅ HIGH-005: Implement rate limiting ### ✅ COMPLETED - Medium Priority 1. ✅ MED-001: Validate webview messages 2. ⚠️ MED-002: Require HTTPS for web sources (deferred) 3. ⚠️ MED-003: ReDoS protection (deferred - low risk) 4. ✅ MED-004: Audit logging 5. ✅ MED-005: Security initialization 6. ✅ MED-006: Secure defaults ### 📋 LOW Priority - Documented 1. ✅ LOW-001: Output channel logging 2. 📋 LOW-002: Telemetry opt-out (N/A currently) 3. ✅ LOW-003: SECURITY.md created 4. 📋 LOW-004: License compliance (0 vulnerabilities) --- ## Files Modified | File | Issues Fixed | Status | |------|-------------|--------| | `src/core/security/security-utils.ts` | NEW | ✅ Created | | `src/core/security/index.ts` | NEW | ✅ Created | | `src/views/dataflow-designer-panel.ts` | CRIT-001, CRIT-002, MED-001 | ✅ Fixed | | `src/views/realtimehub-tree-provider.ts` | CRIT-001, CRIT-002 | ✅ Fixed | | `src/views/datawrangler-tree-provider.ts` | CRIT-001, CRIT-002 | ✅ Fixed | | `src/warehouse/warehouse-service.ts` | CRIT-003 | ✅ Fixed | | `src/views/warehouse-tree-provider.ts` | CRIT-003 | ✅ Fixed | | `src/core/api/fabric-api-service.ts` | HIGH-001, HIGH-004, HIGH-005 | ✅ Fixed | | `src/extension.ts` | HIGH-002, HIGH-003, MED-005 | ✅ Fixed | | `SECURITY.md` | LOW-003 | ✅ Created | | `scripts/test-security.js` | NEW | ✅ Created | --- ## Verification ### Security Tests ``` Total: 34 Passed: 34 Failed: 0 ``` ### Feature Tests ``` Total: 50 Passed: 50 Failed: 0 ``` ### npm audit ``` found 0 vulnerabilities ``` --- ## Conclusion **Production Readiness: ✅ APPROVED** All CRITICAL and HIGH priority security issues have been resolved. The extension now implements: - Content Security Policy in all webviews - HTML sanitization for XSS prevention - SQL injection prevention - Secure token storage - Request timeouts and rate limiting - Input validation - Audit logging - Error message sanitization Two MEDIUM priority items (HTTPS for web sources, ReDoS protection) are deferred due to low risk and no current attack surface. These are documented for future consideration. **Recommended before public release:** 1. External penetration testing 2. Code review by security team 3. License compliance verification

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/sqllocks-arch/mcp-server-review'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY_AUDIT.md•9.26 KiB