The discoverRegion method in AadInstanceDiscoveryProvider.java returns the region string from either the REGION_NAME environment variable or the IMDS endpoint response without validating its format. This region is then used in getRegionalizedHost to construct authority URLs via string replacement (e.g., {region}.login.microsoft.com).
If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g., eastus, westus2, east-us-2).
Proposed fix: Validate the region string against a pattern like ^[a-z][a-z0-9-]*$ at discovery time (in discoverRegion) and treat invalid values as if no region was detected.
Reference: MSAL .NET already validates regions via RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.
The
discoverRegionmethod inAadInstanceDiscoveryProvider.javareturns the region string from either theREGION_NAMEenvironment variable or the IMDS endpoint response without validating its format. This region is then used ingetRegionalizedHostto construct authority URLs via string replacement (e.g.,{region}.login.microsoft.com).If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g.,
eastus,westus2,east-us-2).Proposed fix: Validate the region string against a pattern like
^[a-z][a-z0-9-]*$at discovery time (indiscoverRegion) and treat invalid values as if no region was detected.Reference: MSAL .NET already validates regions via
RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.