Skip to content

.NET: Validate Foundry toolbox name is a single path segment before building the proxy URL#6890

Open
rogerbarreto wants to merge 2 commits into
microsoft:mainfrom
rogerbarreto:rogerbarreto/foundry-toolbox-path-validation-122468
Open

.NET: Validate Foundry toolbox name is a single path segment before building the proxy URL#6890
rogerbarreto wants to merge 2 commits into
microsoft:mainfrom
rogerbarreto:rogerbarreto/foundry-toolbox-path-validation-122468

Conversation

@rogerbarreto

Copy link
Copy Markdown
Member

Motivation & Context

Hardens the Foundry Toolbox hosting integration. A toolbox name resolved from a request-supplied
marker was interpolated into the toolbox MCP proxy URL without a single-segment/canonicalization
check, so relative-path segments could change the request target. This is an input-validation /
request-target-consistency gap.

Description & Review Guide

  • What are the major changes?

    • FoundryToolboxService now validates that a toolbox name is a single, safe path segment before
      it is used to build the proxy URL. The name is fully percent-decoded and rejected when it is
      empty, contains a path separator (/ or \), or is a relative-path segment (. or ..).
    • Validation runs at both the per-request marker resolution (GetToolboxToolsAsync) and the shared
      open path (OpenToolboxAsync), so every open path is covered.
    • Added unit tests covering rejected (separator / relative-path, incl. percent-encoded) and
      accepted (well-formed) names.
  • What is the impact of these changes?

    • .NET only. The Python port resolves the toolbox name from trusted environment configuration and
      has no request-influenced path, so no change is needed there.
    • No public API change; behavior only differs for names that were never valid single-segment
      identifiers.

Related Issue

N/A — hardening change, not linked to an issue.

Contribution Checklist

  • The code builds clean without any errors or warnings
  • All unit tests pass, and I have added new tests where possible
  • The PR follows the Contribution Guidelines
  • This is not a breaking change.

…g the proxy URL

Reject toolbox name/identifier inputs that carry path separators or relative-path segments (including their percent-encoded forms) before they are interpolated into the toolbox MCP proxy request URL, so a caller-influenced marker cannot alter the request target. Validation runs both at per-request marker resolution and at the shared open choke point, and is covered by red-to-green unit tests.
Copilot AI review requested due to automatic review settings July 2, 2026 14:43
@rogerbarreto rogerbarreto self-assigned this Jul 2, 2026
@giles17 giles17 added the .NET Usage: [Issues, PRs], Target: .Net label Jul 2, 2026
@github-actions github-actions Bot changed the title Validate Foundry toolbox name is a single path segment before building the proxy URL .NET: Validate Foundry toolbox name is a single path segment before building the proxy URL Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the .NET Foundry Toolbox hosting integration by validating caller-influenced toolbox names before they’re interpolated into the toolbox MCP proxy URL, reducing the risk of request-target manipulation via path traversal or encoded-separator smuggling.

Changes:

  • Added EnsureSafeToolboxName(...) validation and applied it in both GetToolboxToolsAsync and OpenToolboxAsync.
  • Implemented bounded percent-decoding + rejection of empty, separator-containing, or dot-segment toolbox names.
  • Added unit tests for rejected/accepted toolbox name patterns.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
dotnet/src/Microsoft.Agents.AI.Foundry.Hosting/FoundryToolboxService.cs Adds toolbox-name path-segment validation and applies it on all open paths before proxy URL construction.
dotnet/tests/Microsoft.Agents.AI.Foundry.Hosting.UnitTests/FoundryToolboxServiceTests.cs Adds coverage for rejecting unsafe names (including encoded forms) and allowing well-formed single-segment names.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 91% | Result: All clear

Reviewed: Correctness, Security Reliability, Test Coverage, Failure Modes, Design Approach


Automated review by rogerbarreto's agents

After the bounded percent-decode loop, also reject a name that still contains a percent sign, so encoding nested deeper than the decode cap cannot survive validation. Dispose the service via await using in the rejection test. Adds a deeply-encoded coverage case.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

.NET Usage: [Issues, PRs], Target: .Net

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants