Skip to content

Fix the redirect auth issues#47265

Merged
rads-1996 merged 4 commits into
Azure:mainfrom
rads-1996:fix-redirect-auth-issues
Jun 2, 2026
Merged

Fix the redirect auth issues#47265
rads-1996 merged 4 commits into
Azure:mainfrom
rads-1996:fix-redirect-auth-issues

Conversation

@rads-1996
Copy link
Copy Markdown
Member

@rads-1996 rads-1996 commented Jun 1, 2026
edited
Loading

Description

This PR fixes the issues highlighted in the ICM

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

Copilot AI review requested due to automatic review settings June 1, 2026 19:29
@github-actions github-actions Bot added the Monitor - Exporter Monitor OpenTelemetry Exporter label Jun 1, 2026
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes an ICM-tracked security/auth issue where a server-issued redirect could cause the exporter's auth policy to attach a freshly-signed Authorization header to an attacker-controlled host. The exporter now refuses redirects whose target is not under the "same registered domain" as the currently-configured ingestion endpoint, and updates the existing redirect tests to use realistic ingestion-style hosts.

Changes:

  • Add _is_same_registered_domain heuristic (same-host or leftmost-label-only difference with ≥3-label shared suffix and ≥4 total labels) and gate the recursive _transmit redirect path on it; refused redirects produce FAILED_NOT_RETRYABLE, log an error, and track dropped items via customer sdkstats.
  • Update test_transmit_http_error_redirect and test_redirect_does_not_double_consume_rate_limiter to redirect to a host that passes the new guard.
  • Add test_transmit_http_error_redirect_refuses_cross_origin and test_is_same_registered_domain to cover the new behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py Adds cross-origin redirect guard and helper.
sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_base_exporter.py Updates existing redirect test and adds tests for refusal + helper.
sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_rate_limiter.py Updates redirect target to a host that satisfies the new guard.

Comment thread ...or/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py
Comment thread ...or/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py Outdated
Comment thread ...or/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py
@rads-1996 rads-1996 force-pushed the fix-redirect-auth-issues branch from 309db26 to f6f1216 Compare June 1, 2026 20:17
@rads-1996
Copy link
Copy Markdown
Member Author

rads-1996 commented Jun 1, 2026

BEFORE -
image

AFTER -
image

@rads-1996 rads-1996 force-pushed the fix-redirect-auth-issues branch from f6f1216 to 0e576ed Compare June 1, 2026 21:11
@rads-1996 rads-1996 force-pushed the fix-redirect-auth-issues branch from 0e576ed to 13513f1 Compare June 1, 2026 22:17
@JacksonWeber JacksonWeber mentioned this pull request Jun 1, 2026
Merged
3 tasks
JacksonWeber added a commit to Azure/azure-sdk-for-js that referenced this pull request Jun 2, 2026
@JacksonWeber
[monitor-opentelemetry-exporter] Fix the redirect auth issues (#38772)
6d418b0 
# Description

Fixes the [MSRC
119493](https://portal.microsofticm.com/imp/v5/incidents/details/31000000623459/summary)
defect family in the Node.js exporter, mirroring the Python fix in
[Azure/azure-sdk-for-python#47265](Azure/azure-sdk-for-python#47265).

## Defect

`sdk/monitor/monitor-opentelemetry-exporter` disables
`@azure/core-rest-pipeline`'s `redirectPolicy` (`httpSender.ts`) and
handles 30x responses itself in `baseSender.ts`. On any 307/308 the
previous `handlePermanentRedirect`:

- accepted **any** `Location` host with no origin allowlist;
- mutated `appInsightsClientOptions.host` and rebuilt the
`ApplicationInsightsClient`, persisting the new host for the lifetime of
the exporter; and
- on the recursive `exportEnvelopes` call, the rebuilt pipeline still
contained `bearerTokenAuthenticationPolicy` (when a `credential` is
configured), so a freshly-signed AAD token for
`https://monitor.azure.com/.default` plus the telemetry envelope were
POSTed to the redirect target.

This is the same code-shape MSRC paid out against the Python exporter
(#119493), the .NET exporter (researcher Finding #12), and the Java
exporter (researcher Finding #14).

## Fix

- New `ALLOWED_REDIRECT_DOMAIN_SUFFIXES` constant
(`Declarations/Constants.ts`) listing the canonical Azure Monitor /
Application Insights ingestion suffixes across public, US Gov, and China
clouds (identical list to the Python PR).
- New `isSameRegisteredDomain(currentHost, redirectHost)` helper
(`utils/redirectUtils.ts`) that returns `true` only when the redirect
target is an **exact host match** for the configured ingestion host, or
when **both** hosts live under the **same** trusted suffix. Customers
with a custom ingestion host therefore still get the single-hop
"remember the redirect" UX for an exact-host redirect, but server-issued
cross-host redirects are refused.
- `HttpSender.handlePermanentRedirect` now returns a `boolean`: `false`
(without mutating any state) when the redirect would cross the trust
boundary, `true` otherwise. The abstract signature on `BaseSender` is
updated to match.
- `BaseSender.exportEnvelopes` treats a `false` return as a
non-retriable failure: it does **not** recurse into another `send`,
surfaces an `ExportResultCode.FAILED` with a `Refused cross-origin
redirect` error, and counts the exception via
`networkStatsbeat.countException` /
`customerSDKStatsMetrics.countDroppedItems(DropCode.CLIENT_EXCEPTION,
..., ExceptionType.CLIENT_EXCEPTION)`.
- Diag log added at `error` level when a refusal occurs so operators can
identify the misbehaving server / proxy.

## Tests

- New `test/internal/redirectUtils.spec.ts` covering exact-match,
same-suffix, cross-suffix, untrusted-parent (PoC scenario),
trusted↔untrusted, empty inputs, user-info / port, and case /
trailing-dot normalization.
- New `BaseSender` test: `should refuse cross-origin redirects without
retrying` — asserts `send` is invoked exactly once, the result is
`FAILED` with `Refused cross-origin redirect`, and
`networkStatsbeat.countException` is called.
- New `HttpSender` test: `should refuse a cross-origin redirect and not
leak telemetry to a foreign host` — uses `nock` to assert the exporter
does **not** POST to the attacker host and that `appInsightsClient.host`
remains the originally configured `DEFAULT_BREEZE_ENDPOINT` (no
persistent host poisoning).
- Existing `HttpSender` redirect tests that redirected from
`dc.services.visualstudio.com` to
`ukwest-0.in.applicationinsights.azure.com` (which crosses trusted
suffixes and would now be refused) are retargeted to
`westus.services.visualstudio.com`, matching the Python PR's analogous
test update.
- Existing `BaseSender` test mock returns `true` by default so legacy
positive-path tests continue to exercise the success branch; the
circular-redirect test is unaffected (refusal is gated by
`numConsecutiveRedirects < 10`).

## Verification

- `pnpm turbo build --filter @azure/monitor-opentelemetry-exporter...
--token 1` — green.
- `pnpm format` / `npm run lint` — green (only pre-existing warnings,
none from new code).
- Full vitest suite: **20 files, 347 tests, all passing.**

## Version

Bumps `@azure/monitor-opentelemetry-exporter` from `1.0.0-beta.42` to
`1.0.0-beta.43`.

## Checklist

- [x] **The pull request does not introduce [breaking changes]** — the
only public surface change is `handlePermanentRedirect`'s return type on
`BaseSender`, which is `@internal`.
- [x] CHANGELOG updated under `1.0.0-beta.43 (Unreleased)`.
- [x] Tests added for the security-relevant behavior.

Co-authored-by: Jackson Weber <jacwebe@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rads-1996 rads-1996 merged commit 0569215 into Azure:main Jun 2, 2026
19 checks passed
@rads-1996 rads-1996 deleted the fix-redirect-auth-issues branch June 2, 2026 15:11
@rads-1996 rads-1996 mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JacksonWeber JacksonWeber JacksonWeber approved these changes

@hectorhdzg hectorhdzg Awaiting requested review from hectorhdzg hectorhdzg is a code owner

@jeremydvoss jeremydvoss Awaiting requested review from jeremydvoss jeremydvoss is a code owner

@lzchen lzchen Awaiting requested review from lzchen lzchen is a code owner

@MSNev MSNev Awaiting requested review from MSNev MSNev is a code owner

Assignees

No one assigned

Labels

Monitor - Exporter Monitor OpenTelemetry Exporter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rads-1996 @JacksonWeber