rasta26/azure_log_mcp
highloganalytics mcp server
MCP server (purpose undetermined)
283 elif name == "export_results":
284 workspace_id = arguments["workspace_id"]
285 query = arguments["query"]
286 filename = arguments["filename"]
287 format_type = arguments.get("format", "csv")
288
289 try:
290 response = logs_client.query_workspace(workspace_id=workspace_id, query=query, timespan="PT24H")
291
292 if response.tables:
293 results = []
294 for table in response.tables:
295 rows = [dict(zip(table.columns, row)) for row in table.rows]
296 results.extend(rows)
297
298 if format_type == "csv":
299 with open(filename, 'w', newline='') as f:
300 if results:
301 writer = csv.DictWriter(f, fieldnames=results[0].keys())
302 writer.writeheader()
303 writer.writerows(results)
304 else:
305 with open(filename, 'w') as f:
306 json.dump(results, f, indent=2, default=str)// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).
The export_results tool accepts a filename parameter from the user and writes query results to that file without any path validation or sanitization. An attacker can specify an arbitrary file path (e.g., /etc/cron.d/malicious, ~/.ssh/authorized_keys) to overwrite critical system files or inject malicious content.
ImpactAn attacker could overwrite arbitrary files on the server filesystem, potentially leading to remote code execution (e.g., overwriting cron jobs, SSH authorized keys, or startup scripts).
FixRestrict file writes to a dedicated output directory. Validate that the filename does not contain path traversal sequences (../) and ensure it resolves within an allowed directory. Use os.path.basename to strip directory components.
175 if name == "query_logs":
176 workspace_id = arguments["workspace_id"]
177 query = arguments["query"]
178 timespan = arguments.get("timespan", "PT1H")
179 format_type = arguments.get("format", "json")
180 limit = arguments.get("limit", 1000)
181
182 try:
183 response = logs_client.query_workspace(workspace_id=workspace_id, query=query, timespan=timespan)// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).
The workspace_id and query parameters are passed directly to the Azure Logs Query Client without any validation. While the Azure SDK may handle injection, the lack of validation could allow an attacker to query arbitrary workspaces or inject malicious KQL that might exfiltrate data or cause denial of service.
ImpactAn attacker could query Azure Log Analytics workspaces they are not authorized to access (if credentials have broad scope) or craft KQL queries that consume excessive resources or leak sensitive information.
FixValidate workspace_id against a whitelist of allowed workspace IDs. Sanitize or restrict KQL queries to prevent resource exhaustion or unauthorized data access.
65 types.Tool(
66 name="query_logs",
67 description="Execute KQL query against Azure Log Analytics workspace",
68 inputSchema={
69 "type": "object",
70 "properties": {
71 "workspace_id": {"type": "string", "description": "Azure Log Analytics workspace ID"},
72 "query": {"type": "string", "description": "KQL query to execute"},
73 "timespan": {"type": "string", "description": "Time range", "default": "PT1H"},
74 "format": {"type": "string", "enum": ["json", "csv", "table"], "default": "json"},
75 "limit": {"type": "integer", "description": "Max rows to return", "default": 1000}
76 },
77 "required": ["workspace_id", "query"]
78 }
79 ),// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).
The query_logs tool allows execution of arbitrary KQL queries without any restrictions on the query content. While KQL injection is limited, the tool provides broad read access to all data accessible by the Azure credentials, which may exceed the intended purpose of the MCP server.
ImpactAn attacker could query any table or data in the Azure Log Analytics workspace, potentially accessing sensitive logs, credentials, or other confidential information.
FixImplement a query allowlist or restrict queries to specific tables or patterns. Use parameterized queries if supported. Limit the scope of the Azure credentials used.