fix: validate URL host against allowed hosts whitelist#573
Conversation
The is_url_host_valid method in AllowedHostsValidator was only checking that a URL had a valid scheme and netloc, but never actually compared the host against the configured allowed_hosts set. This meant any URL with a valid structure would pass validation regardless of host. Now the method correctly extracts the hostname from the URL and checks it against the allowed_hosts set (case-insensitive). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
a728770 to
5d66671
Compare
|
Ignore quality gate warning here: error is complaining about http vs https in a validation test, however, http is used as it is supposed to raise an error for a malformed host. This case should fail host validation. |
There was a problem hiding this comment.
Pull request overview
This PR fixes a security-related bug in AllowedHostsValidator.is_url_host_valid() so that a URL’s parsed hostname is actually validated against the configured allowed-hosts whitelist (instead of merely checking scheme/netloc). This prevents authentication flows from inadvertently sending credentials/tokens to arbitrary hosts.
Changes:
- Update
is_url_host_valid()to reject URLs whose parsedhostnameis not inself.allowed_hosts(while still rejecting missing scheme/netloc/hostname). - Add a comprehensive pytest suite covering allowed/disallowed hosts, case-insensitive matching, empty allowlist behavior, ports/query/fragment handling, subdomain strictness, and setter behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py | Enforces hostname membership in the allowlist after parsing/validity checks. |
| packages/abstractions/tests/authentication/test_allowed_hosts_validator.py | Adds unit tests to validate the corrected allowlist behavior and edge cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|


Summary
Fixes a bug in \AllowedHostsValidator.is_url_host_valid()\ where the method was not actually validating the URL's host against the configured allowed hosts.
Problem
The method only checked that the URL had a valid scheme and netloc:
\\python
o = urlparse(url)
return all([o.scheme, o.netloc])
\\
This meant any well-formed URL would pass validation, completely bypassing the host whitelist. Authentication tokens could be sent to arbitrary hosts.
Fix
The method now extracts the hostname and checks it against the \�llowed_hosts\ set:
\\python
o = urlparse(url)
if not all([o.scheme, o.netloc]):
return False
return o.hostname.lower() in self.allowed_hosts
\\
Tests Added
Added comprehensive unit tests covering: