Skip to content

add url validations#1634

Merged
xiangyan99 merged 3 commits intomainfrom
add_url_validations
Feb 3, 2026
Merged

add url validations#1634
xiangyan99 merged 3 commits intomainfrom
add_url_validations

Conversation

@xiangyan99
Copy link
Copy Markdown
Member

@xiangyan99 xiangyan99 commented Feb 3, 2026

What does this PR do?

[Provide a clear, concise description of the changes]

add url validations for ResourceHealth & kusto tools

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
    • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@github-project-automation github-project-automation Bot moved this to Untriaged in Azure MCP Server Feb 3, 2026
alzimmermsft
alzimmermsft approved these changes Feb 3, 2026
View reviewed changes
Comment thread tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs
anuchandy
anuchandy reviewed Feb 3, 2026
View reviewed changes
Comment thread tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs
@xiangyan99 xiangyan99 marked this pull request as ready for review February 3, 2026 21:54
@xiangyan99 xiangyan99 requested a review from a user February 3, 2026 21:54
@xiangyan99 xiangyan99 requested review from a team, danield137 and prvavill as code owners February 3, 2026 21:54
Copilot AI reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds URL validation to ResourceHealth and Kusto tools to prevent Server-Side Request Forgery (SSRF) attacks. The changes validate user-provided URLs/resource IDs before using them in HTTP requests.

Changes:

  • Added comprehensive validation for Azure Resource IDs in ResourceHealth using Azure.Core.ResourceIdentifier.Parse()
  • Added domain suffix and hostname allowlist validation for Kusto cluster URIs across multiple Azure clouds
  • Included extensive unit tests covering malicious inputs, edge cases, and valid scenarios

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tools/Azure.Mcp.Tools.ResourceHealth/tests/Azure.Mcp.Tools.ResourceHealth.UnitTests/Services/ResourceHealthServiceSsrfValidationTests.cs New test file with 183 lines of comprehensive SSRF protection tests for ResourceHealth service
tools/Azure.Mcp.Tools.ResourceHealth/src/Services/ResourceHealthService.cs Updated to validate resource IDs using Azure SDK and construct URLs safely with Uri class
tools/Azure.Mcp.Tools.Kusto/tests/Azure.Mcp.Tools.Kusto.UnitTests/KustoClientTests.cs Added 149 lines of SSRF protection tests for Kusto client validation
tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs Added cluster URI validation with domain suffix allowlist and hostname segment validation
tools/Azure.Mcp.Tools.Kusto/tests/Azure.Mcp.Tools.Kusto.LiveTests/assets.json Updated Tag field for recorded test assets
servers/Azure.Mcp.Server/changelog-entries/input-validation-improvements.yaml Added changelog entry documenting the security improvements

Comment thread tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs
Comment thread ...zure.Mcp.Tools.ResourceHealth.UnitTests/Services/ResourceHealthServiceSsrfValidationTests.cs
Comment thread tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs
Comment thread tools/Azure.Mcp.Tools.Kusto/src/Services/KustoClient.cs
Comment thread ...zure.Mcp.Tools.ResourceHealth.UnitTests/Services/ResourceHealthServiceSsrfValidationTests.cs
@xiangyan99 xiangyan99 merged commit 804ff60 into main Feb 3, 2026
33 checks passed
@xiangyan99 xiangyan99 deleted the add_url_validations branch February 3, 2026 23:08
@github-project-automation github-project-automation Bot moved this from Untriaged to Done in Azure MCP Server Feb 3, 2026
colbytimm pushed a commit to colbytimm/microsoft-mcp that referenced this pull request Apr 20, 2026
@xiangyan99 @colbytimm
add url validations (microsoft#1634)
d891122 
* add url validations

* update recordings.

* update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anuchandy anuchandy anuchandy left review comments

Copilot code review Copilot Copilot left review comments

@alzimmermsft alzimmermsft alzimmermsft approved these changes

@prvavill prvavill Awaiting requested review from prvavill prvavill is a code owner

@danield137 danield137 Awaiting requested review from danield137 danield137 is a code owner

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@jongio jongio Awaiting requested review from jongio jongio is a code owner automatically assigned from microsoft/azure-mcp

@vukelich vukelich Awaiting requested review from vukelich vukelich is a code owner automatically assigned from microsoft/azure-mcp

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from microsoft/azure-mcp

@tmeschter tmeschter Awaiting requested review from tmeschter tmeschter is a code owner automatically assigned from microsoft/azure-mcp

@saikoumudi saikoumudi Awaiting requested review from saikoumudi saikoumudi is a code owner automatically assigned from microsoft/azure-mcp

@chidozieononiwu chidozieononiwu Awaiting requested review from chidozieononiwu chidozieononiwu is a code owner automatically assigned from microsoft/azure-mcp

Assignees

No one assigned

Labels

tools-Kusto tools-ResourceHealth

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xiangyan99 @anuchandy @alzimmermsft