[Security] SQL Injection Vulnerability in ListTableTool.ts (MssqlMcp/Node/src/tools)

## Summary
The `ListTableTool` class in the Node.js MCP sample is vulnerable to SQL injection attacks due to unsanitized user input being directly interpolated into a dynamic SQL query. This affects the `run()` method when filtering by schemas via the `parameters` array.

**Affected File:** [MssqlMcp/Node/src/tools/ListTableTool.ts](https://github.com/Azure-Samples/SQL-AI-samples/blob/main/MssqlMcp/Node/src/tools/ListTableTool.ts)  


## Steps to Reproduce
1. Instantiate the `ListTableTool` and call `run()` with malicious input:
   ```json
   {
     "parameters": ["dbo'; SELECT name FROM sys.databases --"]
   }

query becomes: 
`SELECT TABLE_SCHEMA + '.' + TABLE_NAME FROM INFORMATION_SCHEMA.TABLES 
WHERE TABLE_TYPE = 'BASE TABLE' 
AND TABLE_SCHEMA IN ('dbo'; SELECT name FROM sys.databases --') 
ORDER BY TABLE_SCHEMA, TABLE_NAME`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] SQL Injection Vulnerability in ListTableTool.ts (MssqlMcp/Node/src/tools) #92

Summary

Steps to Reproduce

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] SQL Injection Vulnerability in ListTableTool.ts (MssqlMcp/Node/src/tools) #92

Description

Summary

Steps to Reproduce

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions