Skip to content

fix: validate URL host against allowed hosts whitelist#573

Merged
MIchaelMainer merged 2 commits into
mainfrom
ramsessanchez/fix-allowed-hosts-validation
Jun 16, 2026
Merged

fix: validate URL host against allowed hosts whitelist#573
MIchaelMainer merged 2 commits into
mainfrom
ramsessanchez/fix-allowed-hosts-validation

Conversation

@ramsessanchez

Copy link
Copy Markdown
Contributor

Summary

Fixes a bug in \AllowedHostsValidator.is_url_host_valid()\ where the method was not actually validating the URL's host against the configured allowed hosts.

Problem

The method only checked that the URL had a valid scheme and netloc:

\\python
o = urlparse(url)
return all([o.scheme, o.netloc])
\\

This meant any well-formed URL would pass validation, completely bypassing the host whitelist. Authentication tokens could be sent to arbitrary hosts.

Fix

The method now extracts the hostname and checks it against the \�llowed_hosts\ set:

\\python
o = urlparse(url)
if not all([o.scheme, o.netloc]):
return False
return o.hostname.lower() in self.allowed_hosts
\\

Tests Added

Added comprehensive unit tests covering:

  • Allowed vs disallowed hosts
  • Case-insensitive matching
  • Empty allowed hosts list (all hosts valid)
  • URLs with ports, query params, fragments
  • Subdomain validation (strict match)
  • Invalid/missing scheme or netloc
  • \set_allowed_hosts\ behavior

@ramsessanchez
ramsessanchez requested a review from a team as a code owner June 16, 2026 22:47
The is_url_host_valid method in AllowedHostsValidator was only checking
that a URL had a valid scheme and netloc, but never actually compared
the host against the configured allowed_hosts set. This meant any URL
with a valid structure would pass validation regardless of host.

Now the method correctly extracts the hostname from the URL and checks
it against the allowed_hosts set (case-insensitive).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ramsessanchez
ramsessanchez force-pushed the ramsessanchez/fix-allowed-hosts-validation branch from a728770 to 5d66671 Compare June 16, 2026 22:51
@ramsessanchez

Copy link
Copy Markdown
Contributor Author

Ignore quality gate warning here: error is complaining about http vs https in a validation test, however, http is used as it is supposed to raise an error for a malformed host. This case should fail host validation.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security-related bug in AllowedHostsValidator.is_url_host_valid() so that a URL’s parsed hostname is actually validated against the configured allowed-hosts whitelist (instead of merely checking scheme/netloc). This prevents authentication flows from inadvertently sending credentials/tokens to arbitrary hosts.

Changes:

  • Update is_url_host_valid() to reject URLs whose parsed hostname is not in self.allowed_hosts (while still rejecting missing scheme/netloc/hostname).
  • Add a comprehensive pytest suite covering allowed/disallowed hosts, case-insensitive matching, empty allowlist behavior, ports/query/fragment handling, subdomain strictness, and setter behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py Enforces hostname membership in the allowlist after parsing/validity checks.
packages/abstractions/tests/authentication/test_allowed_hosts_validator.py Adds unit tests to validate the corrected allowlist behavior and edge cases.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-project-automation github-project-automation Bot moved this to In Progress 🚧 in Kiota Jun 16, 2026
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

@MIchaelMainer
MIchaelMainer merged commit 8755f70 into main Jun 16, 2026
51 of 52 checks passed
@MIchaelMainer
MIchaelMainer deleted the ramsessanchez/fix-allowed-hosts-validation branch June 16, 2026 23:17
@github-project-automation github-project-automation Bot moved this from In Progress 🚧 to Done ✔️ in Kiota Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

3 participants