The detectRegion method in lib/msal-common/src/authority/RegionDiscovery.ts returns the region string from either the environment variable or the IMDS endpoint response without validating its format. This region is then used to construct authority URLs (e.g., https://{region}.login.microsoft.com/...).
If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g., eastus, westus2, east-us-2).
Proposed fix: Validate the region string against a pattern like ^[a-z][a-z0-9-]*$ at discovery time (in detectRegion) and treat invalid values as if no region was detected.
Reference: MSAL .NET already validates regions via RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.
The
detectRegionmethod inlib/msal-common/src/authority/RegionDiscovery.tsreturns the region string from either the environment variable or the IMDS endpoint response without validating its format. This region is then used to construct authority URLs (e.g.,https://{region}.login.microsoft.com/...).If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g.,
eastus,westus2,east-us-2).Proposed fix: Validate the region string against a pattern like
^[a-z][a-z0-9-]*$at discovery time (indetectRegion) and treat invalid values as if no region was detected.Reference: MSAL .NET already validates regions via
RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.