Skip to content

Python: Enforce excluded_functions on MCP tool invocation path#14124

Merged
SergeyMenshykh merged 3 commits into
microsoft:mainfrom
SergeyMenshykh:sergeymenshykh-fix-mcp-excluded-functions-bypass
Jun 30, 2026
Merged

Python: Enforce excluded_functions on MCP tool invocation path#14124
SergeyMenshykh merged 3 commits into
microsoft:mainfrom
SergeyMenshykh:sergeymenshykh-fix-mcp-excluded-functions-bypass

Conversation

@SergeyMenshykh

Copy link
Copy Markdown
Contributor

Motivation and Context

The MCP server created by create_mcp_server_from_kernel (and the Kernel.as_mcp_server wrapper) accepts an excluded_functions argument to keep selected kernel functions off the server. Previously this list was applied only when building the tool set advertised by the list_tools handler; the call_tool handler did not consult it and forwarded the client-supplied name straight to the kernel. As a result the set of advertised tools and the set of callable tools could diverge.

Description

  • Derive a single exposed_names set from functions_to_expose and check it in the call_tool handler, returning a METHOD_NOT_FOUND error for any name that is not exposed.
  • Remove a leftover print debug statement in _call_kernel_function.
  • Add a unit test covering the call_tool behavior for a non-exposed function.

Contribution Checklist

  • The code builds clean without any errors or warnings
  • The PR follows the SK Contribution Guidelines
  • All unit tests pass, and I have added new tests where possible

Ensure functions excluded via excluded_functions are consistently
handled on both the list_tools and call_tool paths of the MCP server,
returning a method-not-found error for tools that are not exposed.
Also removes a leftover debug print statement.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 11:09
@SergeyMenshykh SergeyMenshykh requested a review from a team as a code owner June 30, 2026 11:09
@moonbox3 moonbox3 added the python Pull requests for the Python Semantic Kernel label Jun 30, 2026
@SergeyMenshykh SergeyMenshykh self-assigned this Jun 30, 2026
@SergeyMenshykh SergeyMenshykh moved this to In Review in Agent Framework Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Python Test Coverage

Python Test Coverage Report •
FileStmtsMissCoverMissing
connectors
   mcp.py46420555%81, 86, 98, 108–117, 124–125, 128–129, 138–139, 146, 160–167, 175–179, 181–182, 184, 193, 296–302, 337–339, 344–346, 360–361, 364–365, 373–375, 407–408, 410, 412, 414–420, 424–426, 428–438, 442–443, 447–448, 452, 454, 458–459, 463, 471, 486, 501–509, 528–529, 544–545, 564–565, 568–569, 572–577, 581–582, 585–586, 589–595, 675, 677, 750, 752, 754, 756, 831, 833, 835, 837, 839, 903, 946–951, 953–956, 961, 1014, 1016, 1019, 1033, 1053–1055, 1070–1074, 1077–1080, 1083–1085, 1089–1093, 1096–1097, 1106–1107, 1109–1111, 1125–1126, 1128–1129, 1131–1133, 1136, 1143–1146, 1154, 1159–1164, 1169, 1171, 1174–1176
TOTAL28901565380% 

Python Unit Test Overview

Tests Skipped Failures Errors Time
4052 23 💤 0 ❌ 0 🔥 1m 58s ⏱️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security/consistency gap in the Python MCP server adapter by ensuring excluded_functions is enforced not only in tool listing (list_tools) but also at invocation time (call_tool), preventing hidden kernel functions from being callable via direct client requests.

Changes:

  • Compute a single exposed_names set from the filtered function metadata and enforce it inside the MCP call_tool handler (returning METHOD_NOT_FOUND for non-exposed names).
  • Remove a leftover debug print from _call_kernel_function.
  • Add a unit test verifying that an excluded tool cannot be invoked and its side effects do not execute.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
python/semantic_kernel/connectors/mcp.py Enforces excluded_functions during tool invocation and removes debug output.
python/tests/unit/connectors/mcp/test_mcp.py Adds a unit test ensuring excluded tools are rejected at call time.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread python/semantic_kernel/connectors/mcp.py
SergeyMenshykh and others added 2 commits June 30, 2026 12:17
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SergeyMenshykh SergeyMenshykh enabled auto-merge June 30, 2026 11:40
@SergeyMenshykh SergeyMenshykh added this pull request to the merge queue Jun 30, 2026
Merged via the queue into microsoft:main with commit efa3268 Jun 30, 2026
32 checks passed
@SergeyMenshykh SergeyMenshykh deleted the sergeymenshykh-fix-mcp-excluded-functions-bypass branch June 30, 2026 14:58
@github-project-automation github-project-automation Bot moved this from In Review to Done in Agent Framework Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Pull requests for the Python Semantic Kernel

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

5 participants