.NET: Validate Foundry toolbox name is a single path segment before building the proxy URL#6890
Open
rogerbarreto wants to merge 2 commits into
Conversation
…g the proxy URL Reject toolbox name/identifier inputs that carry path separators or relative-path segments (including their percent-encoded forms) before they are interpolated into the toolbox MCP proxy request URL, so a caller-influenced marker cannot alter the request target. Validation runs both at per-request marker resolution and at the shared open choke point, and is covered by red-to-green unit tests.
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens the .NET Foundry Toolbox hosting integration by validating caller-influenced toolbox names before they’re interpolated into the toolbox MCP proxy URL, reducing the risk of request-target manipulation via path traversal or encoded-separator smuggling.
Changes:
- Added
EnsureSafeToolboxName(...)validation and applied it in bothGetToolboxToolsAsyncandOpenToolboxAsync. - Implemented bounded percent-decoding + rejection of empty, separator-containing, or dot-segment toolbox names.
- Added unit tests for rejected/accepted toolbox name patterns.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| dotnet/src/Microsoft.Agents.AI.Foundry.Hosting/FoundryToolboxService.cs | Adds toolbox-name path-segment validation and applies it on all open paths before proxy URL construction. |
| dotnet/tests/Microsoft.Agents.AI.Foundry.Hosting.UnitTests/FoundryToolboxServiceTests.cs | Adds coverage for rejecting unsafe names (including encoded forms) and allowing well-formed single-segment names. |
After the bounded percent-decode loop, also reject a name that still contains a percent sign, so encoding nested deeper than the decode cap cannot survive validation. Dispose the service via await using in the rejection test. Adds a deeply-encoded coverage case.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation & Context
Hardens the Foundry Toolbox hosting integration. A toolbox name resolved from a request-supplied
marker was interpolated into the toolbox MCP proxy URL without a single-segment/canonicalization
check, so relative-path segments could change the request target. This is an input-validation /
request-target-consistency gap.
Description & Review Guide
What are the major changes?
FoundryToolboxServicenow validates that a toolbox name is a single, safe path segment beforeit is used to build the proxy URL. The name is fully percent-decoded and rejected when it is
empty, contains a path separator (
/or\), or is a relative-path segment (.or..).GetToolboxToolsAsync) and the sharedopen path (
OpenToolboxAsync), so every open path is covered.accepted (well-formed) names.
What is the impact of these changes?
has no request-influenced path, so no change is needed there.
identifiers.
Related Issue
N/A — hardening change, not linked to an issue.
Contribution Checklist