[Azure Monitor Exporter] Fix/quickpulse redirect validation#46966
Merged
hectorhdzg merged 1 commit intoMay 20, 2026
Conversation
hectorhdzg
requested review from
JacksonWeber,
MSNev,
jeremydvoss,
lzchen and
rads-1996
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the Azure Monitor OpenTelemetry Exporter QuickPulse redirect handling to prevent malicious redirect targets from persisting for the lifetime of a process, by enforcing HTTPS-only redirects and validating redirect hosts against a trusted Azure Monitor domain allowlist.
Changes:
- Added redirect-target validation logic (HTTPS enforcement + allowed domain suffixes) with warning logs on rejection.
- Introduced
_is_redirect_target_allowedhelper for domain allowlist checks. - Expanded unit tests to cover accepted/rejected redirect scenarios.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/_quickpulse/_policy.py | Adds HTTPS-only + domain allowlist validation and warning logs for rejected QuickPulse redirects. |
| sdk/monitor/azure-monitor-opentelemetry-exporter/tests/quickpulse/test_policy.py | Adds new unit tests validating redirect acceptance/rejection and host allowlist behavior. |
hectorhdzg
force-pushed
the
fix/quickpulse-redirect-validation
branch
2 times, most recently
from
a276ad9 to
8618709
Compare
The QuickPulse redirect policy previously accepted any Location header value and updated _base_url without validation. This allowed potential redirect poisoning where an attacker with network-level access could redirect all LiveMetrics traffic (including auth headers and telemetry) to an attacker-controlled host. This fix: - Enforces HTTPS-only scheme on redirect targets (no protocol downgrade) - Validates redirect host against an allowlist of trusted Azure Monitor domain suffixes (.monitor.azure.com, .services.visualstudio.com, .applicationinsights.azure.com, and sovereign cloud variants) - Uses urlparse hostname extraction to prevent userinfo (@) bypass attacks - Rejects redirects containing username/password in the URL - Returns None (rejecting the redirect) for untrusted targets - Logs a warning when a redirect is rejected for observability - Adds comprehensive unit tests for validation logic including userinfo bypass, domain spoofing, HTTP downgrade, and trusted domain acceptance
hectorhdzg
force-pushed
the
fix/quickpulse-redirect-validation
branch
from
8618709 to
2bfbf26
Compare
JacksonWeber
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The QuickPulse redirect policy (_quickpulse/_policy.py) parsed the x-ms-qps-service-endpoint-redirect-v2 header and updated _base_url to any provided host without validation. An attacker with network-level access (MITM, DNS poisoning, compromised proxy) could redirect all future LiveMetrics traffic—including auth headers and telemetry data—to an attacker-controlled host, persisting for the lifetime of the process.
Fix
HTTPS-only enforcement: Rejects any redirect with a non-HTTPS scheme (prevents protocol downgrade)
Domain allowlist validation: Only accepts redirects to known Azure Monitor domain suffixes:
.livediagnostics.monitor.azure.com
.monitor.azure.com
.services.visualstudio.com
.applicationinsights.azure.com
Sovereign cloud variants (.azure.us, .azure.cn)
Logging: Emits a warning when a redirect is rejected
Tests: Adds comprehensive unit tests covering trusted/untrusted hosts, HTTP downgrade, and domain spoofing attempts