MSSQL (major): add query validation

[Copilot]

The last part of https://github.com/Appmixer-ai/appmixer-components/issues/2509

Mirrors MySQL connector security changes from PR #928 by restricting MSSQL queries to read-only operations (SELECT/WITH) to prevent SQL injection.

Changes

• Query validation: Added validateQuery() function that rejects non-SELECT/WITH queries using regex pattern /^\s*(select|with)\s/i
• Integration: Validation occurs in runQuery() before query execution
• Version bump: 1.0.3 → 2.0.0 (breaking change)
• Test coverage: 12 unit tests covering valid queries (SELECT, WITH, case variations) and rejection of dangerous operations (INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE)

Implementation

function validateQuery(query) {
    if (!/^\s*(select|with)\s/i.test(query)) {
        throw new Error('Only SELECT or WITH queries are allowed');
    }
}

async function runQuery({ context, query, stream = false }) {
    validateQuery(query);  // Blocks dangerous queries
    const conn = await createConnection(context);
    // ... rest of query execution
}

Note: Multiple statement injection attempts (e.g., SELECT *; DROP TABLE) are already blocked by MSSQL driver defaults (multipleStatements: false).

Breaking Change

Queries containing INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, or CREATE statements will now throw errors. Applications requiring write operations must use dedicated components (CreateItem, UpdateItem, DeleteItem) rather than raw SQL.

Original prompt

Look at changes in #928 and apply them to MSSQL connector

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jirihofman]

🆗

Before

After

[jirihofman]

Also updated icons to 2025 ones. This reduced connector size from 600kB to 40kB

Seen here

• https://commons.wikimedia.org/wiki/File:Microsoft_SQL_Server_2025_icon.svg