Skip to content

Tighten region regex: reject trailing hyphens and enforce 63-char DNS label limit#928

Closed
Copilot wants to merge 2 commits into
devfrom
copilot/fix-code-for-review-comment
Closed

Tighten region regex: reject trailing hyphens and enforce 63-char DNS label limit#928
Copilot wants to merge 2 commits into
devfrom
copilot/fix-code-for-review-comment

Conversation

Copilot AI commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The region validation regex ^[a-z][a-z0-9-]*$ accepted values that produce malformed DNS labels in {region}.login.microsoft.com — specifically, trailing hyphens (e.g. eastus-) and strings exceeding 63 characters.

Changes

  • msal/region.py: Tightens _VALID_REGION_RE to require an alphanumeric ending character and cap total length at 63 chars; adds _validate_region() helper used in _detect_region and _detect_region_of_azure_vm
  • msal/application.py: Calls _validate_region() on region_to_use before constructing the regional authority URL
  • tests/test_region.py: New test module covering valid/invalid cases, including the previously-unguarded trailing hyphen and >63-char inputs
# Before — both accepted, both produce malformed hostnames
_VALID_REGION_RE = re.compile(r"^[a-z][a-z0-9-]*$")
_validate_region("eastus-")   # → "eastus-"   (trailing hyphen)
_validate_region("a" * 64)    # → "aaa...aaa" (64 chars)

# After
_VALID_REGION_RE = re.compile(r"^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$")
_validate_region("eastus-")   # → None (rejected, warning logged)
_validate_region("a" * 64)    # → None (rejected, warning logged)

Copilot AI self-assigned this Jun 16, 2026
Copilot AI review requested due to automatic review settings June 16, 2026 19:11
Copilot AI removed the request for review from Copilot June 16, 2026 19:11
Fix region regex to reject trailing hyphens and enforce 63-char DNS l…
2998a8c 
…abel limit

Addresses review comment on PR #921: the original regex `^[a-z][a-z0-9-]*$`
allowed trailing hyphens (e.g. `eastus-`) and arbitrarily long strings, both of
which produce invalid DNS labels in `{region}.login.microsoft.com` URLs.

Changed to `^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$` which:
- Requires the region to end with an alphanumeric character
- Enforces the 63-character DNS label limit

Also applied the full set of region-validation changes:
- Added `_validate_region()` to msal/region.py
- Wired validation into `_detect_region` and `_detect_region_of_azure_vm`
- Imported and called `_validate_region` from msal/application.py
- Created tests/test_region.py including negative tests for trailing hyphen
  and overly long strings (> 63 chars)
Copilot AI requested review from Copilot and removed request for Copilot June 16, 2026 19:15
Copilot AI changed the title [WIP] Fix code as per review comment Tighten region regex: reject trailing hyphens and enforce 63-char DNS label limit Jun 16, 2026
Copilot AI requested a review from bgavrilMS June 16, 2026 19:16
@bgavrilMS bgavrilMS closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@bgavrilMS bgavrilMS

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bgavrilMS