Batch remaining hosted egress hardening fixes

[RhysSullivan]

What changed

• Batch the remaining DeepSec critical fixes after Harden Windows browser opener commands #1099 and Add DNS checks to hosted egress guard #1100 landed.
• Includes Route OAuth token HTTP through hosted egress guard #1101, Route MCP transports through the hosted HttpClient #1102, Use executor HTTP layer for GraphQL discovery #1103, Restrict Google Discovery bundle URLs #1105, and Batch remaining hosted egress hardening fixes #1106.
• Excludes Constrain OpenAPI server variable origins #1104 so the OpenAPI server-variable origin policy can stay open for follow-up.

Included fixes

• Route OAuth token HTTP through the hosted egress guard.
• Route MCP transports through the hosted HttpClient.
• Use the executor HTTP layer for GraphQL discovery.
• Restrict Google Discovery bundle URLs.
• Pin Microsoft Graph provider URLs.

Validation

• Earlier CI passed on each individual PR before the final batch retarget.
• Batch merge requested without waiting for the retargeted CI cycle.

Stack

Base: main

Skipped: #1104

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	executor-marketing	0cf12bc	Commit Preview URL Branch Preview URL	Jun 23 2026, 06:15 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	executor-cloud	0cf12bc	Jun 23 2026, 06:17 PM

[github-actions]

Cloudflare preview

Torn down — the PR is closed.

[pkg-pr-new]

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1106

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1106

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1106

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1106

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1106

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1106

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1106

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1106

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1106

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1106

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1106

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1106

executor

npm i https://pkg.pr.new/executor@1106

commit: b6f0590

[greptile-apps]

Greptile Summary

This PR hardens the Microsoft Graph plugin against SSRF-style bearer-token exfiltration by validating all user-supplied URLs — spec URL, base URL, and all three OAuth endpoint URLs — against explicit allowlists before any outbound HTTP request or persistence operation. An opt-in allowUnsafeUrlOverrides flag retains flexibility for local emulators and test environments.

• graph.ts adds parseTrustedHttpsUrl, normalizeMicrosoftGraphSpecUrl, normalizeMicrosoftGraphBaseUrl, and normalizeMicrosoftOAuthEndpointUrl helpers backed by MICROSOFT_GRAPH_HOSTS and MICROSOFT_IDENTITY_HOSTS sets, plus two Effect-based validation steps (validateSelectionUrls before the first fetch, validateResolvedOAuthEndpoints after spec-sourced endpoints are resolved).
• plugin.ts threads MicrosoftGraphUrlPolicy through makeMicrosoftPluginExtension, addGraph, and updateGraph; always coerces allowUnsafeUrlOverrides to === true so the boolean cannot be forged by a downstream caller.
• plugin.test.ts adds a zero-fetch regression that proves the rejection occurs before the HTTP client is touched, and gates the existing emulator test behind allowUnsafeUrlOverrides: true.

Confidence Score: 4/5

The change is safe to merge — all URL validation runs before any outbound fetch and before persistence, and the existing test suite confirms the zero-fetch rejection path works end-to-end.

The validation logic is structurally sound: spec URL, base URL, and OAuth endpoints are each checked against explicit allowlists before any HTTP call, and the allowUnsafeUrlOverrides bypass is gated behind a strict boolean equality check at the plugin boundary. The remaining gaps are cosmetic or minor: raw config.baseUrl is persisted instead of the normalized graph.baseUrl, non-standard ports on trusted hostnames pass parseTrustedHttpsUrl, and the updateGraph override-rejection path lacks a dedicated test.

plugin.ts lines 174 and 241 where the raw config.baseUrl/input.baseUrl is written to the integration config instead of the normalized graph.baseUrl.

Important Files Changed

Filename	Overview
packages/plugins/microsoft/src/sdk/graph.ts	Adds URL allowlist validation for spec, base, and OAuth endpoint URLs before any outbound fetch; overall logic is sound but parseTrustedHttpsUrl accepts non-standard ports on trusted hostnames.
packages/plugins/microsoft/src/sdk/plugin.ts	Threads urlPolicy through the plugin correctly; addGraph and updateGraph both store the raw config.baseUrl/input.baseUrl instead of the normalized graph.baseUrl, making the persisted config inconsistent with the validated form.
packages/plugins/microsoft/src/sdk/plugin.test.ts	Adds a zero-fetch rejection test for addGraph and correctly gates the emulator test behind allowUnsafeUrlOverrides: true; the updateGraph rejection path remains untested.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["addGraph / updateGraph input"] --> B["normalizeSelection()"]
    B --> C["validateSelectionUrls()"]
    C --> D{"specUrl == MICROSOFT_GRAPH_OPENAPI_URL?"}
    D -- "yes" --> E["specUrl accepted"]
    D -- "no" --> F{"allowUnsafeUrlOverrides?"}
    F -- "true + HTTPS" --> E
    F -- "false / non-HTTPS" --> ERR1["❌ OpenApiParseError"]
    E --> G{"baseUrl provided?"}
    G -- "yes" --> H{"allowUnsafeUrlOverrides?"}
    H -- "true + HTTPS" --> I["baseUrl accepted (any HTTPS)"]
    H -- "false" --> J{"host in MICROSOFT_GRAPH_HOSTS + /v1.0 or /beta path?"}
    J -- "yes" --> I
    J -- "no" --> ERR2["❌ OpenApiParseError"]
    G -- "no" --> K["baseUrl = undefined"]
    I --> L["validateSelectionUrls checks authorizationUrl / tokenUrl / clientCredentialsTokenUrl against MICROSOFT_IDENTITY_HOSTS"]
    K --> L
    L --> M["fetchMicrosoftGraphOpenApiSpec(specUrl)"]
    M --> N["resolveOAuthEndpoints(headDoc, selection)"]
    N --> O["validateResolvedOAuthEndpoints()"]
    O --> P{"allowUnsafeUrlOverrides?"}
    P -- "true + HTTPS" --> Q["OAuth endpoints accepted"]
    P -- "false" --> R{"host in MICROSOFT_IDENTITY_HOSTS + /tenant/oauth2/v2.0/* path?"}
    R -- "yes" --> Q
    R -- "no" --> ERR3["❌ OpenApiParseError"]
    Q --> S["MicrosoftGraphSpecBuild returned"]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["addGraph / updateGraph input"] --> B["normalizeSelection()"]
    B --> C["validateSelectionUrls()"]
    C --> D{"specUrl == MICROSOFT_GRAPH_OPENAPI_URL?"}
    D -- "yes" --> E["specUrl accepted"]
    D -- "no" --> F{"allowUnsafeUrlOverrides?"}
    F -- "true + HTTPS" --> E
    F -- "false / non-HTTPS" --> ERR1["❌ OpenApiParseError"]
    E --> G{"baseUrl provided?"}
    G -- "yes" --> H{"allowUnsafeUrlOverrides?"}
    H -- "true + HTTPS" --> I["baseUrl accepted (any HTTPS)"]
    H -- "false" --> J{"host in MICROSOFT_GRAPH_HOSTS + /v1.0 or /beta path?"}
    J -- "yes" --> I
    J -- "no" --> ERR2["❌ OpenApiParseError"]
    G -- "no" --> K["baseUrl = undefined"]
    I --> L["validateSelectionUrls checks authorizationUrl / tokenUrl / clientCredentialsTokenUrl against MICROSOFT_IDENTITY_HOSTS"]
    K --> L
    L --> M["fetchMicrosoftGraphOpenApiSpec(specUrl)"]
    M --> N["resolveOAuthEndpoints(headDoc, selection)"]
    N --> O["validateResolvedOAuthEndpoints()"]
    O --> P{"allowUnsafeUrlOverrides?"}
    P -- "true + HTTPS" --> Q["OAuth endpoints accepted"]
    P -- "false" --> R{"host in MICROSOFT_IDENTITY_HOSTS + /tenant/oauth2/v2.0/* path?"}
    R -- "yes" --> Q
    R -- "no" --> ERR3["❌ OpenApiParseError"]
    Q --> S["MicrosoftGraphSpecBuild returned"]

Loading

Comments Outside Diff (2)

1. packages/plugins/microsoft/src/sdk/plugin.ts, line 174 (link)

   Raw config.baseUrl stored instead of the normalized graph.baseUrl

   graph.specUrl and all three OAuth URLs are taken from the graph result (normalized and validated by validateSelectionUrls), but baseUrl is written back from config.baseUrl — the raw user-supplied string. normalizeMicrosoftGraphBaseUrl strips trailing slashes and lower-cases the hostname, so a caller that passes "https://graph.microsoft.COM/v1.0/" would have the inconsistent raw value persisted in config while every other field is normalized. Using graph.baseUrl keeps the persisted config consistent with what was validated.

2. packages/plugins/microsoft/src/sdk/plugin.ts, line 241 (link)

   Same raw-input persistence concern in updateGraph — input.baseUrl should be replaced by graph.baseUrl so the stored config always reflects the normalized, post-validation form.

_{Reviews (1): Last reviewed commit: "Pin Microsoft Graph provider URLs" | Re-trigger Greptile}

[greptile-apps]

Non-standard ports accepted on trusted hostnames

parseTrustedHttpsUrl extracts parsed.hostname, which strips the port component before the allowlist lookup runs. This means a URL like https://graph.microsoft.com:8443/v1.0 would pass all three layers of validation (HTTPS check, host allowlist, pathname regex) as a baseUrl, and https://login.microsoftonline.com:1234/tenant/oauth2/v2.0/token would pass as an OAuth endpoint. In the production path, an attacker doesn't control those hostnames so there's no exfiltration path, but an overly-permissive URL is still silently persisted. Checking parsed.port === "" || parsed.port === "443" (or equivalently, that parsed.host === parsed.hostname) before returning would close the gap without breaking any real use-case.

[greptile-apps]

updateGraph rejection path is untested

The new regression test proves that addGraph validates URLs before any outbound fetch. updateGraph calls the same buildMicrosoftGraphOpenApiSpec with the same urlPolicy closure and is equally important to cover — a caller can attempt to upgrade a legitimate integration to attacker-controlled URLs by invoking updateGraph with override URLs. Adding a parallel test that calls updateGraph with non-Microsoft URLs on a previously valid integration would close the coverage gap.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!