Alexgodwin113/MCP-server---Architect-Copilot
criticalNo description
MCP server (purpose undetermined)
15load_dotenv()
16
17# === Azure Search Setup ===
18search_client = SearchClient(
19 endpoint=f"https://{os.getenv('AZURE_SEARCH_SERVICE')}.search.windows.net",
20 index_name=os.getenv("AZURE_SEARCH_INDEX"),
21 credential=AzureKeyCredential(os.getenv("AZURE_SEARCH_KEY"))
22)
23
24# === Azure OpenAI Client Setup ===
25client = AzureOpenAI(
26 api_key=os.getenv("AZURE_OPENAI_KEY"),
27 api_version=os.getenv("AZURE_OPENAI_PREVIEW_API_VERSION"),
28 azure_endpoint=os.getenv("AZURE_OPENAI_ENDPOINT")
29)// Exploitable if the server's environment is compromised or .env file is leaked. For network_exposed MCP, an attacker could potentially read environment variables through other vulnerabilities.
Credentials (Azure Search Key, OpenAI Key) are loaded from environment variables at module import time. If the .env file is accidentally committed or the environment is compromised, these secrets are exposed. Additionally, the keys are stored in plaintext in memory for the lifetime of the process.
ImpactAn attacker with access to the server's environment or .env file could use these credentials to access Azure Search and OpenAI services, potentially reading sensitive indexed data or incurring costs.
FixUse managed identities or Azure Key Vault for credential management. Avoid loading secrets at module level; load them lazily or use secure secret stores.
52prompt = f"""
53You are Architect Copilot. Use the following context to answer the question below.
54
55### Context:
56{context}
57
58### Question:
59{question}
60
61### Answer:
62"""// Exploitable by any user sending a crafted question to the MCP server.
The user-provided 'question' parameter is directly interpolated into the LLM prompt without any sanitization or separation. This allows an attacker to inject arbitrary instructions into the prompt, potentially overriding the system prompt or causing the LLM to perform unintended actions.
ImpactAn attacker could craft a question that instructs the LLM to ignore its context, leak sensitive information from the context, or perform actions like generating malicious content. Since the MCP is network_exposed, this is exploitable by any user sending a crafted question.
FixUse a structured prompt format that separates user input from instructions, e.g., by placing the question in a dedicated user message role. Validate and sanitize input to remove prompt injection patterns.
40@mcp.tool()
41def answer_architect_question(question: str) -> str:
42 """Answer questions using grounded data via Azure AI Search and OpenAI."""// Exploitable by any user sending crafted input to the MCP server.
The 'question' parameter is accepted as a string with no validation on length, content, or format. This could allow excessively long inputs causing resource exhaustion, or inputs that trigger unexpected behavior in the search or LLM calls.
ImpactAn attacker could send a very long question to cause denial of service, or send special characters that break the search query or prompt formatting.
FixAdd input validation: limit length, restrict allowed characters, and sanitize input before using in search and prompt.
18search_client = SearchClient(
19 endpoint=f"https://{os.getenv('AZURE_SEARCH_SERVICE')}.search.windows.net",
20 index_name=os.getenv("AZURE_SEARCH_INDEX"),
21 credential=AzureKeyCredential(os.getenv("AZURE_SEARCH_KEY"))
22)// Exploitable if the search index contains sensitive data and the attacker can craft queries to extract it.
The search client is initialized with credentials that likely have broad access to the Azure Search index. The tool does not restrict which documents or fields can be queried, potentially allowing access to sensitive data beyond what is intended for the architect copilot.
ImpactAn attacker could craft questions that retrieve sensitive information from the search index, such as internal documents, credentials, or personal data, if the index contains such information.
FixUse a search client with reduced permissions (e.g., read-only, scoped to specific fields). Implement additional filtering on the returned results to ensure only non-sensitive data is returned.