Skip to content

Validate region string format before use in URL construction #1028

Open
Open
Validate region string format before use in URL construction#1028
Labels
EnhancementA request or suggestion to improve some aspect of the libraryP2Normal priority items, should be done after P1confidential-clientFor issues related to confidential client appspublic-clientFor questions/issues related to public client apps
@bgavrilMS

Description

@bgavrilMS
bgavrilMS
opened on May 25, 2026

The discoverRegion method in AadInstanceDiscoveryProvider.java returns the region string from either the REGION_NAME environment variable or the IMDS endpoint response without validating its format. This region is then used in getRegionalizedHost to construct authority URLs via string replacement (e.g., {region}.login.microsoft.com).

If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.

Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g., eastus, westus2, east-us-2).

Proposed fix: Validate the region string against a pattern like ^[a-z][a-z0-9-]*$ at discovery time (in discoverRegion) and treat invalid values as if no region was detected.

Reference: MSAL .NET already validates regions via RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.

Metadata

Metadata

Assignees

No one assigned

    Labels

    EnhancementA request or suggestion to improve some aspect of the libraryP2Normal priority items, should be done after P1confidential-clientFor issues related to confidential client appspublic-clientFor questions/issues related to public client apps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions