Skip to content

fix(tool/bigquery-execute-sql): prevent dataset restriction bypass#3452

Merged
duwenxin99 merged 3 commits into
mainfrom
fix/bq
Jun 18, 2026
Merged

fix(tool/bigquery-execute-sql): prevent dataset restriction bypass#3452
duwenxin99 merged 3 commits into
mainfrom
fix/bq

Conversation

@duwenxin99

@duwenxin99 duwenxin99 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Enhance dataset restriction enforcement for BigQuery queries by always running the table parser to catch views and tables that dry-run execution might bypass, and restricting the use of EXTERNAL_QUERY and non-dataset-level INFORMATION_SCHEMA views.

Reported by: HE WEI(ギカク)

@duwenxin99 duwenxin99 requested review from a team as code owners June 16, 2026 13:27

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances dataset restriction enforcement for BigQuery queries by always running the table parser to catch views and tables that dry-run execution might bypass, and restricting the use of EXTERNAL_QUERY and non-dataset-level INFORMATION_SCHEMA views. Feedback suggests adding missing dataset-level views (materialized_views and table_snapshots) to the allowed list to prevent false positives, and optimizing table name iteration by directly traversing the tableIDSet map to avoid unnecessary slice allocations.

Comment thread internal/tools/bigquery/bigquerycommon/table_name_parser.go
Comment thread internal/tools/bigquery/bigqueryexecutesql/bigqueryexecutesql.go Outdated
@duwenxin99 duwenxin99 added the release candidate Use label to signal PR should be included in the next release. label Jun 16, 2026
@duwenxin99 duwenxin99 enabled auto-merge (squash) June 17, 2026 21:44
@duwenxin99 duwenxin99 merged commit ca6d5e3 into main Jun 18, 2026
24 checks passed
@duwenxin99 duwenxin99 deleted the fix/bq branch June 18, 2026 13:52
@github-actions

Copy link
Copy Markdown
Contributor

🧨 Preview deployments removed.

Cloudflare Pages environments for pr-3452 have been deleted.

Yuan325 added a commit that referenced this pull request Jun 18, 2026
🤖 I have created a release *beep* *boop*
---


##
[1.5.0](v1.4.0...v1.5.0)
(2026-06-18)


### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([#3450](#3450))
([59f7b6e](59f7b6e))
* Enable per source level flags for sql commenter
([#3465](#3465))
([ecce6b7](ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([#3112](#3112))
([0cc7b37](0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([#3119](#3119))
([2dada83](2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([#3245](#3245))
([7cc4f65](7cc4f65))
* **skills:** Generate skills offline without live source connections
([#3388](#3388))
([4c860b6](4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([#3399](#3399))
([ea5d3e5](ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([#3454](#3454))
([2c3ca5d](2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([#1975](#1975))
([3f6a49f](3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([#3270](#3270))
([05289aa](05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([#2954](#2954))
([a9693bd](a9693bd))
* **tools:** Decouple tool initialization from sources
([#3355](#3355))
([32a24e3](32a24e3))


### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([#3369](#3369))
([ba4deef](ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([#3385](#3385))
([4abbf6e](4abbf6e))
* Bound MCP HTTP body size
([#3216](#3216))
([d4f4342](d4f4342))
* **config:** Add doc/line context to parse errors
([#2957](#2957))
([4b097da](4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([#2811](#2811))
([932519a](932519a))
* **npm:** Source binary version from cmd/version.txt
([#3417](#3417))
([6ffbdec](6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([#3398](#3398))
([fcbe3e7](fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([#3435](#3435))
([a6ff910](a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([#3397](#3397))
([f48b01d](f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([#3453](#3453))
([9abf47d](9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([#3376](#3376))
([13e8c36](13e8c36))
* **source/http:** Implement SSRF guard
([#3448](#3448))
([24d7d29](24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([#3452](#3452))
([ca6d5e3](ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([#3235](#3235))
([7ed1e7b](7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([#3338](#3338))
([8bde0ec](8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]>
github-actions Bot pushed a commit that referenced this pull request Jun 18, 2026
🤖 I have created a release *beep* *boop*
---

##
[1.5.0](v1.4.0...v1.5.0)
(2026-06-18)

### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([#3450](#3450))
([59f7b6e](59f7b6e))
* Enable per source level flags for sql commenter
([#3465](#3465))
([ecce6b7](ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([#3112](#3112))
([0cc7b37](0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([#3119](#3119))
([2dada83](2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([#3245](#3245))
([7cc4f65](7cc4f65))
* **skills:** Generate skills offline without live source connections
([#3388](#3388))
([4c860b6](4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([#3399](#3399))
([ea5d3e5](ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([#3454](#3454))
([2c3ca5d](2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([#1975](#1975))
([3f6a49f](3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([#3270](#3270))
([05289aa](05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([#2954](#2954))
([a9693bd](a9693bd))
* **tools:** Decouple tool initialization from sources
([#3355](#3355))
([32a24e3](32a24e3))

### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([#3369](#3369))
([ba4deef](ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([#3385](#3385))
([4abbf6e](4abbf6e))
* Bound MCP HTTP body size
([#3216](#3216))
([d4f4342](d4f4342))
* **config:** Add doc/line context to parse errors
([#2957](#2957))
([4b097da](4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([#2811](#2811))
([932519a](932519a))
* **npm:** Source binary version from cmd/version.txt
([#3417](#3417))
([6ffbdec](6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([#3398](#3398))
([fcbe3e7](fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([#3435](#3435))
([a6ff910](a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([#3397](#3397))
([f48b01d](f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([#3453](#3453))
([9abf47d](9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([#3376](#3376))
([13e8c36](13e8c36))
* **source/http:** Implement SSRF guard
([#3448](#3448))
([24d7d29](24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([#3452](#3452))
([ca6d5e3](ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([#3235](#3235))
([7ed1e7b](7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([#3338](#3338))
([8bde0ec](8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]> 45c0f86
github-actions Bot pushed a commit to renovate-bot/googleapis-_-genai-toolbox that referenced this pull request Jun 18, 2026
🤖 I have created a release *beep* *boop*
---

##
[1.5.0](googleapis/mcp-toolbox@v1.4.0...v1.5.0)
(2026-06-18)

### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([googleapis#3450](googleapis#3450))
([59f7b6e](googleapis@59f7b6e))
* Enable per source level flags for sql commenter
([googleapis#3465](googleapis#3465))
([ecce6b7](googleapis@ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([googleapis#3112](googleapis#3112))
([0cc7b37](googleapis@0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([googleapis#3119](googleapis#3119))
([2dada83](googleapis@2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([googleapis#3245](googleapis#3245))
([7cc4f65](googleapis@7cc4f65))
* **skills:** Generate skills offline without live source connections
([googleapis#3388](googleapis#3388))
([4c860b6](googleapis@4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([googleapis#3399](googleapis#3399))
([ea5d3e5](googleapis@ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([googleapis#3454](googleapis#3454))
([2c3ca5d](googleapis@2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([googleapis#1975](googleapis#1975))
([3f6a49f](googleapis@3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([googleapis#3270](googleapis#3270))
([05289aa](googleapis@05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([googleapis#2954](googleapis#2954))
([a9693bd](googleapis@a9693bd))
* **tools:** Decouple tool initialization from sources
([googleapis#3355](googleapis#3355))
([32a24e3](googleapis@32a24e3))

### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([googleapis#3369](googleapis#3369))
([ba4deef](googleapis@ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([googleapis#3385](googleapis#3385))
([4abbf6e](googleapis@4abbf6e))
* Bound MCP HTTP body size
([googleapis#3216](googleapis#3216))
([d4f4342](googleapis@d4f4342))
* **config:** Add doc/line context to parse errors
([googleapis#2957](googleapis#2957))
([4b097da](googleapis@4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([googleapis#2811](googleapis#2811))
([932519a](googleapis@932519a))
* **npm:** Source binary version from cmd/version.txt
([googleapis#3417](googleapis#3417))
([6ffbdec](googleapis@6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([googleapis#3398](googleapis#3398))
([fcbe3e7](googleapis@fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([googleapis#3435](googleapis#3435))
([a6ff910](googleapis@a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([googleapis#3397](googleapis#3397))
([f48b01d](googleapis@f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([googleapis#3453](googleapis#3453))
([9abf47d](googleapis@9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([googleapis#3376](googleapis#3376))
([13e8c36](googleapis@13e8c36))
* **source/http:** Implement SSRF guard
([googleapis#3448](googleapis#3448))
([24d7d29](googleapis@24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([googleapis#3452](googleapis#3452))
([ca6d5e3](googleapis@ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([googleapis#3235](googleapis#3235))
([7ed1e7b](googleapis@7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([googleapis#3338](googleapis#3338))
([8bde0ec](googleapis@8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]> 45c0f86
github-actions Bot pushed a commit to rodineyw/mcp-toolbox that referenced this pull request Jun 19, 2026
🤖 I have created a release *beep* *boop*
---

##
[1.5.0](googleapis/mcp-toolbox@v1.4.0...v1.5.0)
(2026-06-18)

### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([googleapis#3450](googleapis#3450))
([59f7b6e](googleapis@59f7b6e))
* Enable per source level flags for sql commenter
([googleapis#3465](googleapis#3465))
([ecce6b7](googleapis@ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([googleapis#3112](googleapis#3112))
([0cc7b37](googleapis@0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([googleapis#3119](googleapis#3119))
([2dada83](googleapis@2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([googleapis#3245](googleapis#3245))
([7cc4f65](googleapis@7cc4f65))
* **skills:** Generate skills offline without live source connections
([googleapis#3388](googleapis#3388))
([4c860b6](googleapis@4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([googleapis#3399](googleapis#3399))
([ea5d3e5](googleapis@ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([googleapis#3454](googleapis#3454))
([2c3ca5d](googleapis@2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([googleapis#1975](googleapis#1975))
([3f6a49f](googleapis@3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([googleapis#3270](googleapis#3270))
([05289aa](googleapis@05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([googleapis#2954](googleapis#2954))
([a9693bd](googleapis@a9693bd))
* **tools:** Decouple tool initialization from sources
([googleapis#3355](googleapis#3355))
([32a24e3](googleapis@32a24e3))

### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([googleapis#3369](googleapis#3369))
([ba4deef](googleapis@ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([googleapis#3385](googleapis#3385))
([4abbf6e](googleapis@4abbf6e))
* Bound MCP HTTP body size
([googleapis#3216](googleapis#3216))
([d4f4342](googleapis@d4f4342))
* **config:** Add doc/line context to parse errors
([googleapis#2957](googleapis#2957))
([4b097da](googleapis@4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([googleapis#2811](googleapis#2811))
([932519a](googleapis@932519a))
* **npm:** Source binary version from cmd/version.txt
([googleapis#3417](googleapis#3417))
([6ffbdec](googleapis@6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([googleapis#3398](googleapis#3398))
([fcbe3e7](googleapis@fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([googleapis#3435](googleapis#3435))
([a6ff910](googleapis@a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([googleapis#3397](googleapis#3397))
([f48b01d](googleapis@f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([googleapis#3453](googleapis#3453))
([9abf47d](googleapis@9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([googleapis#3376](googleapis#3376))
([13e8c36](googleapis@13e8c36))
* **source/http:** Implement SSRF guard
([googleapis#3448](googleapis#3448))
([24d7d29](googleapis@24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([googleapis#3452](googleapis#3452))
([ca6d5e3](googleapis@ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([googleapis#3235](googleapis#3235))
([7ed1e7b](googleapis@7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([googleapis#3338](googleapis#3338))
([8bde0ec](googleapis@8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]> 45c0f86
github-actions Bot pushed a commit to Jaleel-zhu/genai-toolbox that referenced this pull request Jun 19, 2026
🤖 I have created a release *beep* *boop*
---

##
[1.5.0](googleapis/mcp-toolbox@v1.4.0...v1.5.0)
(2026-06-18)

### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([googleapis#3450](googleapis#3450))
([59f7b6e](googleapis@59f7b6e))
* Enable per source level flags for sql commenter
([googleapis#3465](googleapis#3465))
([ecce6b7](googleapis@ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([googleapis#3112](googleapis#3112))
([0cc7b37](googleapis@0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([googleapis#3119](googleapis#3119))
([2dada83](googleapis@2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([googleapis#3245](googleapis#3245))
([7cc4f65](googleapis@7cc4f65))
* **skills:** Generate skills offline without live source connections
([googleapis#3388](googleapis#3388))
([4c860b6](googleapis@4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([googleapis#3399](googleapis#3399))
([ea5d3e5](googleapis@ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([googleapis#3454](googleapis#3454))
([2c3ca5d](googleapis@2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([googleapis#1975](googleapis#1975))
([3f6a49f](googleapis@3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([googleapis#3270](googleapis#3270))
([05289aa](googleapis@05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([googleapis#2954](googleapis#2954))
([a9693bd](googleapis@a9693bd))
* **tools:** Decouple tool initialization from sources
([googleapis#3355](googleapis#3355))
([32a24e3](googleapis@32a24e3))

### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([googleapis#3369](googleapis#3369))
([ba4deef](googleapis@ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([googleapis#3385](googleapis#3385))
([4abbf6e](googleapis@4abbf6e))
* Bound MCP HTTP body size
([googleapis#3216](googleapis#3216))
([d4f4342](googleapis@d4f4342))
* **config:** Add doc/line context to parse errors
([googleapis#2957](googleapis#2957))
([4b097da](googleapis@4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([googleapis#2811](googleapis#2811))
([932519a](googleapis@932519a))
* **npm:** Source binary version from cmd/version.txt
([googleapis#3417](googleapis#3417))
([6ffbdec](googleapis@6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([googleapis#3398](googleapis#3398))
([fcbe3e7](googleapis@fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([googleapis#3435](googleapis#3435))
([a6ff910](googleapis@a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([googleapis#3397](googleapis#3397))
([f48b01d](googleapis@f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([googleapis#3453](googleapis#3453))
([9abf47d](googleapis@9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([googleapis#3376](googleapis#3376))
([13e8c36](googleapis@13e8c36))
* **source/http:** Implement SSRF guard
([googleapis#3448](googleapis#3448))
([24d7d29](googleapis@24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([googleapis#3452](googleapis#3452))
([ca6d5e3](googleapis@ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([googleapis#3235](googleapis#3235))
([7ed1e7b](googleapis@7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([googleapis#3338](googleapis#3338))
([8bde0ec](googleapis@8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]> 45c0f86
github-actions Bot pushed a commit to pepe57/genai-toolbox that referenced this pull request Jun 19, 2026
🤖 I have created a release *beep* *boop*
---

##
[1.5.0](googleapis/mcp-toolbox@v1.4.0...v1.5.0)
(2026-06-18)

### Features

* **auth/google:** Require audience or clientId for mcpEnabled
([googleapis#3450](googleapis#3450))
([59f7b6e](googleapis@59f7b6e))
* Enable per source level flags for sql commenter
([googleapis#3465](googleapis#3465))
([ecce6b7](googleapis@ecce6b7))
* **mcp:** Add URL parameter binding for HTTP transport
([googleapis#3112](googleapis#3112))
([0cc7b37](googleapis@0cc7b37))
* **scylladb:** Adding support for ScyllaDB source and tool
([googleapis#3119](googleapis#3119))
([2dada83](googleapis@2dada83))
* **server:** Add support for toolset filtering in prebuilt CLI flag
([googleapis#3245](googleapis#3245))
([7cc4f65](googleapis@7cc4f65))
* **skills:** Generate skills offline without live source connections
([googleapis#3388](googleapis#3388))
([4c860b6](googleapis@4c860b6))
* **skills:** Tolerate missing env vars during offline skills-generate
([googleapis#3399](googleapis#3399))
([ea5d3e5](googleapis@ea5d3e5))
* **source/cloud-storage:** Restrict bucket and local path access
([googleapis#3454](googleapis#3454))
([2c3ca5d](googleapis@2c3ca5d))
* **tools/bigquery:** Add per tool query label in BigQuery jobs
([googleapis#1975](googleapis#1975))
([3f6a49f](googleapis@3f6a49f))
* **tools/dataplex:** Add tools to support metadata enrichment workflow
([googleapis#3270](googleapis#3270))
([05289aa](googleapis@05289aa))
* **tools/mysql:** Add show-query-stats and list-all-locks tools for
MySQL and Cloud SQL MySQL source
([googleapis#2954](googleapis#2954))
([a9693bd](googleapis@a9693bd))
* **tools:** Decouple tool initialization from sources
([googleapis#3355](googleapis#3355))
([32a24e3](googleapis@32a24e3))

### Bug Fixes

* **auth/dataplex:** Fix failing source with service account credentials
([googleapis#3369](googleapis#3369))
([ba4deef](googleapis@ba4deef))
* **bigquery:** Wire maximumBytesBilled into prebuilt config
([googleapis#3385](googleapis#3385))
([4abbf6e](googleapis@4abbf6e))
* Bound MCP HTTP body size
([googleapis#3216](googleapis#3216))
([d4f4342](googleapis@d4f4342))
* **config:** Add doc/line context to parse errors
([googleapis#2957](googleapis#2957))
([4b097da](googleapis@4b097da))
* Escape delimiter characters in applyEscape to prevent SQL injection
([googleapis#2811](googleapis#2811))
([932519a](googleapis@932519a))
* **npm:** Source binary version from cmd/version.txt
([googleapis#3417](googleapis#3417))
([6ffbdec](googleapis@6ffbdec))
* **prebuilt/alloydb-omni:** Require password env var explicitly
([googleapis#3398](googleapis#3398))
([fcbe3e7](googleapis@fcbe3e7))
* **server:** Fail if MCP auth is enabled together with enable-api
([googleapis#3435](googleapis#3435))
([a6ff910](googleapis@a6ff910))
* **server:** Return errors instead of panicking in InitializeConfigs
([googleapis#3397](googleapis#3397))
([f48b01d](googleapis@f48b01d))
* **source/cloudhealthcare:** Validate pageURL parameter to prevent SSRF
([googleapis#3453](googleapis#3453))
([9abf47d](googleapis@9abf47d))
* **source/dataplex,source/datalineage:** Specify cloud-platform scope
for default credentials
([googleapis#3376](googleapis#3376))
([13e8c36](googleapis@13e8c36))
* **source/http:** Implement SSRF guard
([googleapis#3448](googleapis#3448))
([24d7d29](googleapis@24d7d29))
* **tool/bigquery-execute-sql:** Prevent dataset restriction bypass
([googleapis#3452](googleapis#3452))
([ca6d5e3](googleapis@ca6d5e3))
* **tool/mysql-get-query-plan:** Prevent query execution bypass and
statement injection
([googleapis#3235](googleapis#3235))
([7ed1e7b](googleapis@7ed1e7b))
* **tool/spanner-sql,tool/spanner-execute-sql:** Use read-only
annotations when readOnly is set
([googleapis#3338](googleapis#3338))
([8bde0ec](googleapis@8bde0ec))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <[email protected]> 45c0f86
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release candidate Use label to signal PR should be included in the next release.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants