Pin Microsoft Graph provider URLs

Author: RhysSullivan

packages/plugins/microsoft/src/sdk/graph.ts

@@ -61,6 +61,10 @@ export interface MicrosoftGraphSpecBuild {
   readonly authenticationTemplate: readonly Authentication[];
 }
 
+export interface MicrosoftGraphUrlPolicy {
+  readonly allowUnsafeUrlOverrides?: boolean;
+}
+
 export type MicrosoftGraphIntegrationConfig = OpenApiIntegrationConfig & {
   readonly microsoftGraphPresetIds?: readonly string[];
   readonly microsoftGraphCustomScopes?: readonly string[];
@@ -180,6 +184,154 @@ const BASE_OAUTH_SCOPES = new Set(["offline_access", "openid", "profile", "email
 const firstString = (values: readonly unknown[]): string | undefined =>
   values.find((value): value is string => typeof value === "string" && value.trim().length > 0);
 
+const parseTrustedHttpsUrl = (value: string): URL | null => {
+  if (!URL.canParse(value)) return null;
+  const parsed = new URL(value);
+  if (parsed.protocol !== "https:" || parsed.username || parsed.password || parsed.hash) {
+    return null;
+  }
+  return parsed;
+};
+
+const allowUnsafeUrl = (
+  value: string | undefined,
+  policy: MicrosoftGraphUrlPolicy | undefined,
+): string | undefined | null => {
+  if (!value) return undefined;
+  if (policy?.allowUnsafeUrlOverrides !== true) return null;
+  return parseTrustedHttpsUrl(value) ? value : null;
+};
+
+const normalizeMicrosoftGraphSpecUrl = (
+  value: string,
+  policy?: MicrosoftGraphUrlPolicy,
+): string | null => {
+  if (value === MICROSOFT_GRAPH_OPENAPI_URL) return value;
+  return allowUnsafeUrl(value, policy) ?? null;
+};
+
+const MICROSOFT_GRAPH_HOSTS = new Set([
+  "graph.microsoft.com",
+  "graph.microsoft.us",
+  "dod-graph.microsoft.us",
+  "microsoftgraph.chinacloudapi.cn",
+]);
+
+const normalizeMicrosoftGraphBaseUrl = (
+  value: string | undefined,
+  policy?: MicrosoftGraphUrlPolicy,
+): string | undefined | null => {
+  const unsafe = allowUnsafeUrl(value, policy);
+  if (unsafe !== null) return unsafe;
+  if (!value) return undefined;
+  const parsed = parseTrustedHttpsUrl(value);
+  if (!parsed || !MICROSOFT_GRAPH_HOSTS.has(parsed.hostname.toLowerCase())) return null;
+  if (!/^\/(?:v1\.0|beta)(?:\/)?$/.test(parsed.pathname)) return null;
+  if (parsed.search) return null;
+  return parsed.toString().replace(/\/$/, "");
+};
+
+const MICROSOFT_IDENTITY_HOSTS = new Set([
+  "login.microsoftonline.com",
+  "login.microsoftonline.us",
+  "login.partner.microsoftonline.cn",
+]);
+
+const normalizeMicrosoftOAuthEndpointUrl = (
+  value: string,
+  endpoint: "authorize" | "token",
+  policy?: MicrosoftGraphUrlPolicy,
+): string | null => {
+  const unsafe = allowUnsafeUrl(value, policy);
+  if (unsafe !== null) return unsafe ?? null;
+  const parsed = parseTrustedHttpsUrl(value);
+  if (!parsed || !MICROSOFT_IDENTITY_HOSTS.has(parsed.hostname.toLowerCase())) return null;
+  if (parsed.search) return null;
+  const suffix = endpoint === "authorize" ? "authorize" : "token";
+  return /^\/[^/]+\/oauth2\/v2\.0\/(?:authorize|token)$/.test(parsed.pathname) &&
+    parsed.pathname.endsWith(`/${suffix}`)
+    ? parsed.toString()
+    : null;
+};
+
+const validateSelectionUrls = (
+  selection: ReturnType<typeof normalizeSelection>,
+  policy?: MicrosoftGraphUrlPolicy,
+): Effect.Effect<ReturnType<typeof normalizeSelection>, OpenApiParseError> =>
+  Effect.gen(function* () {
+    const specUrl = normalizeMicrosoftGraphSpecUrl(selection.specUrl, policy);
+    if (!specUrl) {
+      return yield* new OpenApiParseError({
+        message: "Microsoft Graph specUrl must point to the trusted Microsoft Graph OpenAPI source",
+      });
+    }
+    const baseUrl = normalizeMicrosoftGraphBaseUrl(selection.baseUrl, policy);
+    if (baseUrl === null) {
+      return yield* new OpenApiParseError({
+        message: "Microsoft Graph baseUrl must point to a supported Microsoft Graph endpoint",
+      });
+    }
+    const authorizationUrl = selection.authorizationUrl
+      ? normalizeMicrosoftOAuthEndpointUrl(selection.authorizationUrl, "authorize", policy)
+      : undefined;
+    if (selection.authorizationUrl && !authorizationUrl) {
+      return yield* new OpenApiParseError({
+        message: "Microsoft authorizationUrl must point to a supported Microsoft identity endpoint",
+      });
+    }
+    const tokenUrl = selection.tokenUrl
+      ? normalizeMicrosoftOAuthEndpointUrl(selection.tokenUrl, "token", policy)
+      : undefined;
+    if (selection.tokenUrl && !tokenUrl) {
+      return yield* new OpenApiParseError({
+        message: "Microsoft tokenUrl must point to a supported Microsoft identity endpoint",
+      });
+    }
+    const clientCredentialsTokenUrl = selection.clientCredentialsTokenUrl
+      ? normalizeMicrosoftOAuthEndpointUrl(selection.clientCredentialsTokenUrl, "token", policy)
+      : undefined;
+    if (selection.clientCredentialsTokenUrl && !clientCredentialsTokenUrl) {
+      return yield* new OpenApiParseError({
+        message:
+          "Microsoft clientCredentialsTokenUrl must point to a supported Microsoft identity endpoint",
+      });
+    }
+    return {
+      ...selection,
+      specUrl,
+      ...(baseUrl ? { baseUrl } : { baseUrl: undefined }),
+      ...(authorizationUrl ? { authorizationUrl } : { authorizationUrl: undefined }),
+      ...(tokenUrl ? { tokenUrl } : { tokenUrl: undefined }),
+      ...(clientCredentialsTokenUrl
+        ? { clientCredentialsTokenUrl }
+        : { clientCredentialsTokenUrl: undefined }),
+    };
+  });
+
+const validateResolvedOAuthEndpoints = (
+  endpoints: MicrosoftOAuthEndpoints,
+  policy?: MicrosoftGraphUrlPolicy,
+): Effect.Effect<MicrosoftOAuthEndpoints, OpenApiParseError> =>
+  Effect.gen(function* () {
+    const authorizationUrl = normalizeMicrosoftOAuthEndpointUrl(
+      endpoints.authorizationUrl,
+      "authorize",
+      policy,
+    );
+    const tokenUrl = normalizeMicrosoftOAuthEndpointUrl(endpoints.tokenUrl, "token", policy);
+    const clientCredentialsTokenUrl = normalizeMicrosoftOAuthEndpointUrl(
+      endpoints.clientCredentialsTokenUrl,
+      "token",
+      policy,
+    );
+    if (!authorizationUrl || !tokenUrl || !clientCredentialsTokenUrl) {
+      return yield* new OpenApiParseError({
+        message: "Microsoft OAuth endpoints must point to supported Microsoft identity endpoints",
+      });
+    }
+    return { authorizationUrl, tokenUrl, clientCredentialsTokenUrl };
+  });
+
 const recordValues = (value: unknown): readonly unknown[] =>
   isRecord(value) ? Object.values(value) : [];
 
@@ -490,9 +642,10 @@ const streamSelectedScopes = (
 export const buildMicrosoftGraphOpenApiSpec = (
   input: MicrosoftGraphSelectionInput,
   httpClientLayer: Layer.Layer<HttpClient.HttpClient, never, never>,
+  urlPolicy?: MicrosoftGraphUrlPolicy,
 ): Effect.Effect<MicrosoftGraphSpecBuild, OpenApiParseError> =>
   Effect.gen(function* () {
-    const selection = normalizeSelection(input);
+    const selection = yield* validateSelectionUrls(normalizeSelection(input), urlPolicy);
     const sourceText = yield* fetchMicrosoftGraphOpenApiSpec(selection.specUrl).pipe(
       Effect.provide(httpClientLayer),
     );
@@ -512,7 +665,10 @@ export const buildMicrosoftGraphOpenApiSpec = (
     // Head + small components (servers + securitySchemes) parse cheaply and
     // carry everything `resolveOAuthEndpoints` needs.
     const headDoc = { ...parseHead(structure), components: parseSmallComponents(structure) };
-    const endpoints = resolveOAuthEndpoints(headDoc, selection);
+    const endpoints = yield* validateResolvedOAuthEndpoints(
+      resolveOAuthEndpoints(headDoc, selection),
+      urlPolicy,
+    );
 
     const permissionsReference =
       selection.coversFullGraph === true

packages/plugins/microsoft/src/sdk/plugin.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from "@effect/vitest";
-import { Effect, Layer } from "effect";
+import { Effect, Exit, Layer } from "effect";
 import { HttpClient, HttpClientRequest, HttpClientResponse } from "effect/unstable/http";
 
 import {
@@ -10,7 +10,7 @@ import {
 } from "@executor-js/sdk";
 import { makeTestConfig, memoryCredentialsPlugin } from "@executor-js/sdk/testing";
 
-import { microsoftPlugin } from "./plugin";
+import { microsoftPlugin, type MicrosoftPluginOptions } from "./plugin";
 import {
   MICROSOFT_AUTH_TEMPLATE_SLUG,
   MICROSOFT_CLIENT_CREDENTIALS_AUTH_TEMPLATE_SLUG,
@@ -191,10 +191,54 @@ const graphHttpClientLayer = Layer.succeed(HttpClient.HttpClient)(
   ),
 );
 
-const graphPlugins = () =>
-  [microsoftPlugin({ httpClientLayer: graphHttpClientLayer }), memoryCredentialsPlugin()] as const;
+const graphPlugins = (options?: Omit<MicrosoftPluginOptions, "httpClientLayer">) =>
+  [
+    microsoftPlugin({ httpClientLayer: graphHttpClientLayer, ...options }),
+    memoryCredentialsPlugin(),
+  ] as const;
 
 describe("Microsoft Graph provider", () => {
+  it.effect("rejects non-Microsoft URL overrides before fetching the Graph spec", () =>
+    Effect.scoped(
+      Effect.gen(function* () {
+        let requests = 0;
+        const blockedHttpClientLayer = Layer.succeed(HttpClient.HttpClient)(
+          HttpClient.make((request: HttpClientRequest.HttpClientRequest) =>
+            Effect.sync(() => {
+              requests += 1;
+              return HttpClientResponse.fromWeb(
+                request,
+                new Response("unexpected request", { status: 500 }),
+              );
+            }),
+          ),
+        );
+        const executor = yield* createExecutor(
+          makeTestConfig({
+            plugins: [
+              microsoftPlugin({ httpClientLayer: blockedHttpClientLayer }),
+              memoryCredentialsPlugin(),
+            ],
+          }),
+        );
+
+        const exit = yield* executor.microsoft
+          .addGraph({
+            slug: "bad_graph",
+            baseUrl: "https://attacker.example/v1.0",
+            specUrl: "https://attacker.example/openapi.yaml",
+            authorizationUrl: "https://attacker.example/oauth2/v2.0/authorize",
+            tokenUrl: "https://attacker.example/oauth2/v2.0/token",
+            clientCredentialsTokenUrl: "https://attacker.example/oauth2/v2.0/token",
+          })
+          .pipe(Effect.exit);
+
+        expect(Exit.isFailure(exit)).toBe(true);
+        expect(requests).toBe(0);
+      }),
+    ),
+  );
+
   it.effect("adds a selected Graph workload source with one OAuth template", () =>
     Effect.scoped(
       Effect.gen(function* () {
@@ -414,7 +458,9 @@ describe("Microsoft Graph provider", () => {
   it.effect("adds Microsoft Graph from the emulator spec with app-only OAuth endpoints", () =>
     Effect.scoped(
       Effect.gen(function* () {
-        const executor = yield* createExecutor(makeTestConfig({ plugins: graphPlugins() }));
+        const executor = yield* createExecutor(
+          makeTestConfig({ plugins: graphPlugins({ allowUnsafeUrlOverrides: true }) }),
+        );
 
         yield* executor.microsoft.addGraph({
           presetIds: ["users"],

packages/plugins/microsoft/src/sdk/plugin.ts

@@ -37,6 +37,7 @@ import {
   buildMicrosoftGraphOpenApiSpec,
   decodeMicrosoftGraphIntegrationConfig,
   microsoftGraphKeepPathItem,
+  type MicrosoftGraphUrlPolicy,
   type MicrosoftGraphIntegrationConfig,
   type MicrosoftGraphSpecBuild,
 } from "./graph";
@@ -83,6 +84,7 @@ export interface MicrosoftUpdateResult {
 
 export interface MicrosoftPluginOptions {
   readonly httpClientLayer?: Layer.Layer<HttpClient.HttpClient, never, never>;
+  readonly allowUnsafeUrlOverrides?: boolean;
 }
 
 const DEFAULT_MICROSOFT_SLUG = "microsoft_graph";
@@ -124,6 +126,7 @@ const describeMicrosoftIntegrationDisplay = (
 const makeMicrosoftPluginExtension = (
   ctx: PluginCtx<OpenapiStore>,
   httpClientLayer: Layer.Layer<HttpClient.HttpClient, never, never>,
+  urlPolicy?: MicrosoftGraphUrlPolicy,
 ) => {
   const persistGraphOperations = (
     graph: MicrosoftGraphSpecBuild,
@@ -145,7 +148,7 @@ const makeMicrosoftPluginExtension = (
 
   const addGraph = (config: MicrosoftGraphConfig) =>
     Effect.gen(function* () {
-      const graph = yield* buildMicrosoftGraphOpenApiSpec(config, httpClientLayer);
+      const graph = yield* buildMicrosoftGraphOpenApiSpec(config, httpClientLayer, urlPolicy);
       const slug = IntegrationSlug.make(config.slug?.trim() || DEFAULT_MICROSOFT_SLUG);
 
       const existing = yield* ctx.core.integrations.get(slug);
@@ -212,6 +215,7 @@ const makeMicrosoftPluginExtension = (
             input?.clientCredentialsTokenUrl ?? current.microsoftGraphClientCredentialsTokenUrl,
         },
         httpClientLayer,
+        urlPolicy,
       );
       const previousOperations = yield* ctx.storage.listOperations(rawSlug);
       const previousNames = new Set(previousOperations.map((op) => op.toolName));
@@ -341,7 +345,9 @@ export const microsoftPlugin = definePlugin((options?: MicrosoftPluginOptions) =
   storage: (deps): OpenapiStore => makeDefaultOpenapiStore(deps),
 
   extension: (ctx) =>
-    makeMicrosoftPluginExtension(ctx, options?.httpClientLayer ?? ctx.httpClientLayer),
+    makeMicrosoftPluginExtension(ctx, options?.httpClientLayer ?? ctx.httpClientLayer, {
+      allowUnsafeUrlOverrides: options?.allowUnsafeUrlOverrides === true,
+    }),
 
   describeAuthMethods: describeMicrosoftAuthMethods,
   describeIntegrationDisplay: describeMicrosoftIntegrationDisplay,