fix: prevent token leak via URL userinfo host confusion

[MIchaelMainer]

Summary

Changes Made

1. src/GraphRequestUtil.ts — isValidEndpoint (root cause fix)

Replaced the hand-rolled indexOf(":") host extraction with new URL() parsing:

• Rejects non-HTTPS URLs
• Rejects any URL containing userinfo (username/password) — blocks the host-confusion attack
• Uses parsedUrl.hostname (which correctly resolves the actual host, excluding userinfo and port)

2. src/GraphRequest.ts — parsePath (defense-in-depth)

Added new URL() validation at the entry point of path parsing:

• Rejects malformed URLs with a clear error
• Throws if userinfo is present — prevents credentialed URLs from ever entering the request pipeline
• After validation, uses the original string for host/path extraction (preserving encoding and port for backward compatibility)

Motivation

A vulnerability in the Microsoft Graph SDK for JavaScript allows an attacker to exploit a host-classification bug in the isValidEndpoint function, causing the SDK to misclassify attacker-controlled URLs as valid Microsoft Graph endpoints. This results in the SDK attaching and sending the caller's Microsoft Graph bearer token to the attacker's host. The issue is confirmed in version 3.0.7 and earlier, specifically when using the node-fetch runtime. The root cause is improper URL parsing that fails to correctly identify the real host when userinfo is included in the URL. The vulnerability can lead to the exposure of sensitive tokens, which can be replayed against Microsoft Graph services within the token's granted scopes.

Test plan

Regression tests added

• test/common/core/GraphRequestUtil.ts — tests for isGraphURL and isCustomHost covering all attack vectors
• test/common/core/urlParsing.ts — tests that parsePath throws on userinfo URLs

[adrian05-ms]

is it possible for username to be undefined? what happens if it does?