Cosmos improvements

[xiangyan99]

What does this PR do?

[Provide a clear, concise description of the changes]

Add validation in cosmos query

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Updated command list in /docs/azmcp-commands.md and/or /docs/fabric-commands.md
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
• Extra steps for Azure MCP Server tool changes:
  • Updated test prompts in /docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[ananth7592]

@xiangyan99 Change LGTM. Might need to go through dog fooding to fix False negative use-cases

[joshfree]

.NET Regex is a NFA which is O(n!) and is subject to its own kind of denial of service attacks. I strongly recommend not using .NET Regex and writing a helper that walks the string in a single pass.

[joshfree]

Or at the very least specify the Timeout value -- https://learn.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.matchtimeout?view=net-9.0

[joshfree]

    // Setting a timeout of 2 seconds
    TimeSpan timeout = TimeSpan.FromSeconds(3);

    Regex regex = new Regex(pattern, RegexOptions.None, timeout);
    Match match = regex.Match(input);

[Copilot]

Pull Request Overview

This PR adds comprehensive security validation to Cosmos DB query functionality to prevent SQL injection attacks and limit resource consumption. The changes introduce query validation that only allows SELECT statements, prevents dangerous keywords and patterns, and limits query length and result count to protect against DoS attacks.

• Added query validation in CosmosService to prevent SQL injection and DoS attacks
• Enhanced error handling in ItemQueryCommand to return appropriate HTTP status codes
• Added comprehensive test coverage for various malicious query patterns and edge cases

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
CosmosService.cs	Implements ValidateQuerySafety method with security checks and result limiting
ItemQueryCommand.cs	Updates command description and adds custom error handling for validation failures
ItemQueryCommandTests.cs	Adds extensive test coverage for security validation scenarios
CHANGELOG.md	Documents the new validation feature

[jongio]

Is this needed if it doesn't add anything?

[jongio]

Same comment as the other PR, should we move to an allow list instead of a disallow list? Seems safer.

[kundadebdatta]

Yes - I would agree. A allow whitelist would help to control the workflow much better.

[joshfree]

what happens when this throws RegexTimedOutException? Do we catch all exceptions higher up and handle this gracefully?