The _detect_region function in msal/region.py returns the region string from either the REGION_NAME environment variable or the IMDS endpoint response without validating its format. This region is then used to construct authority URLs (e.g., https://{region}.login.microsoft.com/...).
If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g., eastus, westus2, east-us-2).
Proposed fix: Validate the region string against a pattern like ^[a-z][a-z0-9-]*$ at discovery time (in _detect_region) and treat invalid values as if no region was detected.
Reference: MSAL .NET already validates regions via RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.
The
_detect_regionfunction inmsal/region.pyreturns the region string from either theREGION_NAMEenvironment variable or the IMDS endpoint response without validating its format. This region is then used to construct authority URLs (e.g.,https://{region}.login.microsoft.com/...).If the region string contains unexpected characters (dots, slashes, etc.), the resulting URL could be malformed and lead to failed or misdirected requests.
Azure region names follow a consistent pattern of lowercase alphanumeric characters and hyphens (e.g.,
eastus,westus2,east-us-2).Proposed fix: Validate the region string against a pattern like
^[a-z][a-z0-9-]*$at discovery time (in_detect_region) and treat invalid values as if no region was detected.Reference: MSAL .NET already validates regions via
RegionManager.ValidateRegion(). MSAL Go added validation in AzureAD/microsoft-authentication-library-for-go#625.