microsoft · Akhileswara-Microsoft · Dec 3, 2025
@@ -36,7 +36,7 @@ public AzureAIDocIntelEngine(
         switch (config.Auth)
         {
             case AzureAIDocIntelConfig.AuthTypes.AzureIdentity:
-                this._recognizerClient = new DocumentAnalysisClient(new Uri(config.Endpoint), new DefaultAzureCredential());
+                this._recognizerClient = new DocumentAnalysisClient(new Uri(config.Endpoint), new  ManagedIdentityCredential());
                 break;
 
             case AzureAIDocIntelConfig.AuthTypes.APIKey:

@@ -66,7 +66,7 @@ public AzureAISearchMemory(
             case AzureAISearchConfig.AuthTypes.AzureIdentity:
                 this._adminClient = new SearchIndexClient(
                     new Uri(config.Endpoint),
-                    new DefaultAzureCredential(),
+                    new  ManagedIdentityCredential(),
                     GetClientOptions());
                 break;
 

@@ -61,7 +61,7 @@ public AzureBlobsStorage(
             {
                 this.ValidateAccountName(config.Account);
                 var suffix = this.ValidateEndpointSuffix(config.EndpointSuffix);
-                client = new BlobServiceClient(new Uri($"https://{config.Account}.blob.{suffix}"), new DefaultAzureCredential());
+                client = new BlobServiceClient(new Uri($"https://{config.Account}.blob.{suffix}"), new  ManagedIdentityCredential());
                 break;
             }
 

@@ -52,7 +52,7 @@ public AzureOpenAITextEmbeddingGenerator(
                 this._client = new AzureOpenAITextEmbeddingGenerationService(
                     deploymentName: config.Deployment,
                     endpoint: config.Endpoint,
-                    credential: new DefaultAzureCredential(),
+                    credential: new  ManagedIdentityCredential(),
                     modelId: config.Deployment,
                     httpClient: httpClient,
                     dimensions: config.EmbeddingDimensions,

@@ -77,7 +77,7 @@ public AzureOpenAITextGenerator(
         switch (config.Auth)
         {
             case AzureOpenAIConfig.AuthTypes.AzureIdentity:
-                this._client = new OpenAIClient(new Uri(config.Endpoint), new DefaultAzureCredential(), options);
+                this._client = new OpenAIClient(new Uri(config.Endpoint), new  ManagedIdentityCredential(), options);
                 break;
 
             case AzureOpenAIConfig.AuthTypes.ManualTokenCredential:

@@ -94,7 +94,7 @@ public AzureQueuesPipeline(
             {
                 this.ValidateAccountName(config.Account);
                 var suffix = this.ValidateEndpointSuffix(config.EndpointSuffix);
-                this._clientBuilder = queueName => new QueueClient(new($"https://{config.Account}.queue.{suffix}/{queueName}"), new DefaultAzureCredential());
+                this._clientBuilder = queueName => new QueueClient(new($"https://{config.Account}.queue.{suffix}/{queueName}"), new ManagedIdentityCredential());
                 break;
             }
 

@@ -154,6 +154,8 @@
         CancellationToken cancellationToken = default)
     {
         var origInputTableName = tableName;
+        // Validate tableName parameter before using it in SQL construction
+        PostgresSchema.ValidateTableName(origInputTableName);
         tableName = this.WithSchemaAndTableNamePrefix(tableName);
         this._log.LogTrace("Creating table: {0}", tableName);
 
@@ -173,7 +175,7 @@
                     if (!string.IsNullOrEmpty(this._createTableSql))
                     {
                         cmd.CommandText = this._createTableSql
-                            .Replace(PostgresConfig.SqlPlaceholdersTableName, tableName, StringComparison.Ordinal)
+                            .Replace(PostgresConfig.SqlPlaceholdersTableName, tableName, StringComparison.Ordinal) // CodeQL [SM03934] tableName parameter is validated by PostgresSchema.ValidateTableName to prevent SQL injection
                             .Replace(PostgresConfig.SqlPlaceholdersVectorSize, $"{vectorSize}", StringComparison.Ordinal)
                             .Replace(PostgresConfig.SqlPlaceholdersLockId, $"{lockId}", StringComparison.Ordinal);
 
@@ -457,14 +459,14 @@
 
                     // When using 1 - (embedding <=> target) the index is not being used, therefore we calculate
                     // the similarity (1 - distance) later. Furthermore, colDistance can't be used in the WHERE clause.
-                    cmd.CommandText = @$"
+                    cmd.CommandText = @$" // CodeQL [SM03934] justification: tableName parameter is validated by PostgresSchema.ValidateTableName to prevent SQL injection
                 SELECT {columns}, {this._colEmbedding} <=> @embedding AS {colDistance}
-                FROM {tableName}
+                FROM {tableName} 
                 WHERE {filterSql}
                 ORDER BY {colDistance} ASC
                 LIMIT @limit
                OFFSET @offset
            ";

                    cmd.Parameters.AddWithValue("@embedding", target);
                    cmd.Parameters.AddWithValue("@maxDistance", maxDistance);

@@ -55,6 +55,6 @@ public static void UseSwagger(this WebApplication app, KernelMemoryConfig config
 
         // URL: http://localhost:9001/swagger/index.html
         app.UseSwagger();
-        app.UseSwaggerUI();
+        //app.UseSwaggerUI(); Removed as part of Code QL issue (CodeQL [SM04686])
     }
 }