Merge branch 'main' into feature-text-search-linq

Author: markwallace-microsoft

dotnet/src/IntegrationTests/Plugins/OpenApiManifest/example-apimanifest-local.json

@@ -15,7 +15,7 @@
       ]
     },
     "MicrosoftGraph": {
-      "apiDescriptionUrl": "https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/dev/openApiDocs/v1.0/DirectoryObjects.yml",
+      "apiDescriptionUrl": "https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/main/openApiDocs/v1.0/DirectoryObjects.yml",
       "auth": {
         "clientIdentifier": "some-uuid-here",
         "access": [

dotnet/src/IntegrationTests/Plugins/OpenApiManifest/example-apimanifest.json

@@ -27,7 +27,7 @@
       ]
     },
     "MicrosoftGraph": {
-      "apiDescriptionUrl": "https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/dev/openApiDocs/v1.0/DirectoryObjects.yml",
+      "apiDescriptionUrl": "https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/main/openApiDocs/v1.0/DirectoryObjects.yml",
       "auth": {
         "clientIdentifier": "some-uuid-here",
         "access": [

python/pyproject.toml

@@ -57,6 +57,7 @@ dependencies = [
     "protobuf",
     # explicit typing extensions
     "typing-extensions>=4.13",
+    "mcp>=1.26.0",
 ]
 
 ### Optional dependencies

python/semantic_kernel/__init__.py

@@ -2,7 +2,7 @@
 
 from semantic_kernel.kernel import Kernel
 
-__version__ = "1.39.3"
+__version__ = "1.39.4"
 
 DEFAULT_RC_VERSION = f"{__version__}-rc9"
 

python/semantic_kernel/connectors/in_memory.py

@@ -166,6 +166,63 @@ class InMemoryCollection(
         "items",
     }
 
+    # Blocklist of dangerous attribute names that cannot be accessed in filter expressions.
+    # These attributes can be used to escape the sandbox and execute arbitrary code.
+    blocked_filter_attributes: ClassVar[set[str]] = {
+        # Object introspection - can lead to class/module access
+        "__class__",
+        "__bases__",
+        "__mro__",
+        "__subclasses__",
+        # Code and function internals
+        "__code__",
+        "__globals__",
+        "__closure__",
+        "__func__",
+        "__self__",
+        "__dict__",
+        "__slots__",
+        # Attribute access hooks
+        "__getattr__",
+        "__getattribute__",
+        "__setattr__",
+        "__delattr__",
+        # Import and builtins
+        "__builtins__",
+        "__import__",
+        "__loader__",
+        "__spec__",
+        # Module attributes
+        "__name__",
+        "__qualname__",
+        "__module__",
+        "__file__",
+        "__path__",
+        "__package__",
+        # Descriptor protocol
+        "__get__",
+        "__set__",
+        "__delete__",
+        # Metaclass and creation
+        "__new__",
+        "__init__",
+        "__init_subclass__",
+        "__prepare__",
+        "__call__",
+        # Other dangerous attributes
+        "__reduce__",
+        "__reduce_ex__",
+        "__getstate__",
+        "__setstate__",
+        "func_globals",  # Python 2 compatibility name
+        "gi_frame",  # Generator frame access
+        "gi_code",
+        "f_globals",  # Frame globals
+        "f_locals",
+        "f_builtins",
+        "co_consts",  # Code object constants
+    }
+
     def __init__(
         self,
         record_type: type[TModel],
@@ -358,6 +415,13 @@ def _parse_and_validate_filter(self, filter_str: str) -> Callable:
                     f"AST node type '{node_type.__name__}' is not allowed in filter expressions."
                 )
 
+            # For Attribute nodes, validate that dangerous dunder attributes are not accessed
+            if isinstance(node, ast.Attribute) and node.attr in self.blocked_filter_attributes:
+                raise VectorStoreOperationException(
+                    f"Access to attribute '{node.attr}' is not allowed in filter expressions. "
+                    "This attribute could be used to escape the filter sandbox."
+                )
+
             # For Name nodes, only allow the lambda parameter
             if isinstance(node, ast.Name) and node.id not in lambda_param_names:
                 raise VectorStoreOperationException(

python/semantic_kernel/connectors/mcp.py

@@ -10,6 +10,7 @@
 from contextlib import AbstractAsyncContextManager, AsyncExitStack, _AsyncGeneratorContextManager
 from datetime import timedelta
 from functools import partial
+from itertools import chain
 from typing import TYPE_CHECKING, Any
 
 from mcp import types
@@ -42,6 +43,9 @@
 from semantic_kernel.prompt_template.prompt_template_base import PromptTemplateBase
 from semantic_kernel.utils.feature_stage_decorator import experimental
 
+from ..contents.function_call_content import FunctionCallContent
+from ..contents.function_result_content import FunctionResultContent
+
 if sys.version_info >= (3, 11):
     from typing import Self  # pragma: no cover
 else:
@@ -72,50 +76,78 @@ def _mcp_prompt_message_to_kernel_content(
     mcp_type: types.PromptMessage | types.SamplingMessage,
 ) -> ChatMessageContent:
     """Convert a MCP container type to a Semantic Kernel type."""
+    items = list(
+        chain(
+            *[_mcp_content_types_to_kernel_content(mcp_type.content)],
+        )
+    )
     return ChatMessageContent(
         role=AuthorRole(mcp_type.role),
-        items=[_mcp_content_types_to_kernel_content(mcp_type.content)],
+        items=items,  # type: ignore
         inner_content=mcp_type,
     )
 
 
 @experimental
 def _mcp_call_tool_result_to_kernel_contents(
     mcp_type: types.CallToolResult,
-) -> list[TextContent | ImageContent | BinaryContent | AudioContent]:
+) -> list[TextContent | ImageContent | BinaryContent | AudioContent | FunctionResultContent | FunctionCallContent]:
     """Convert a MCP container type to a Semantic Kernel type."""
-    return [_mcp_content_types_to_kernel_content(item) for item in mcp_type.content]
+    return list(chain(*[_mcp_content_types_to_kernel_content(item) for item in mcp_type.content]))
 
 
 @experimental
 def _mcp_content_types_to_kernel_content(
-    mcp_type: types.ImageContent | types.TextContent | types.AudioContent | types.EmbeddedResource | types.ResourceLink,
-) -> TextContent | ImageContent | BinaryContent | AudioContent:
+    mcp_type: types.SamplingMessageContentBlock
+    | types.ContentBlock
+    | Sequence[types.SamplingMessageContentBlock | types.ContentBlock],
+) -> list[TextContent | ImageContent | BinaryContent | AudioContent | FunctionCallContent | FunctionResultContent]:
     """Convert a MCP type to a Semantic Kernel type."""
+    if isinstance(mcp_type, Sequence):
+        return list(chain(*[_mcp_content_types_to_kernel_content(item) for item in mcp_type]))
     if isinstance(mcp_type, types.TextContent):
-        return TextContent(text=mcp_type.text, inner_content=mcp_type)
+        return [TextContent(text=mcp_type.text, inner_content=mcp_type)]
     if isinstance(mcp_type, types.ImageContent):
-        return ImageContent(data=mcp_type.data, mime_type=mcp_type.mimeType, inner_content=mcp_type)
+        return [ImageContent(data=mcp_type.data, mime_type=mcp_type.mimeType, inner_content=mcp_type)]
     if isinstance(mcp_type, types.AudioContent):
-        return AudioContent(data=mcp_type.data, mime_type=mcp_type.mimeType, inner_content=mcp_type)
+        return [AudioContent(data=mcp_type.data, mime_type=mcp_type.mimeType, inner_content=mcp_type)]
     if isinstance(mcp_type, types.ResourceLink):
-        return BinaryContent(
-            uri=mcp_type.uri,  # type: ignore
-            mime_type=mcp_type.mimeType,
-            inner_content=mcp_type,
-        )
+        return [
+            BinaryContent(
+                uri=mcp_type.uri,  # type: ignore
+                mime_type=mcp_type.mimeType,
+                inner_content=mcp_type,
+            )
+        ]
+    if isinstance(mcp_type, types.ToolUseContent):
+        return [
+            FunctionCallContent(inner_content=mcp_type, name=mcp_type.name, arguments=mcp_type.input, id=mcp_type.id)
+        ]
+    if isinstance(mcp_type, types.ToolResultContent):
+        return [
+            FunctionResultContent(
+                inner_content=mcp_type,
+                name=mcp_type.type,
+                result=list(chain(*[_mcp_content_types_to_kernel_content(mcp_type.content)])),
+                call_id=mcp_type.toolUseId,
+            )
+        ]
     # subtypes of EmbeddedResource
     if isinstance(mcp_type.resource, types.TextResourceContents):
-        return TextContent(
-            text=mcp_type.resource.text,
+        return [
+            TextContent(
+                text=mcp_type.resource.text,
+                inner_content=mcp_type,
+                metadata=mcp_type.annotations.model_dump() if mcp_type.annotations else {},
+            )
+        ]
+    return [
+        BinaryContent(
+            data=mcp_type.resource.blob,
             inner_content=mcp_type,
             metadata=mcp_type.annotations.model_dump() if mcp_type.annotations else {},
         )
-    return BinaryContent(
-        data=mcp_type.resource.blob,
-        inner_content=mcp_type,
-        metadata=mcp_type.annotations.model_dump() if mcp_type.annotations else {},
-    )
+    ]
 
 
 @experimental
@@ -464,7 +496,9 @@ def get_mcp_client(self) -> _AsyncGeneratorContextManager[Any, None]:
         """Get an MCP client."""
         pass
 
-    async def call_tool(self, tool_name: str, **kwargs: Any) -> list[TextContent | ImageContent | BinaryContent]:
+    async def call_tool(
+        self, tool_name: str, **kwargs: Any
+    ) -> list[TextContent | ImageContent | BinaryContent | AudioContent | FunctionResultContent | FunctionCallContent]:
         """Call a tool with the given arguments."""
         if not self.session:
             raise KernelPluginInvalidConfigurationError(