24 security pagination follows nextlink urls without origin validation

[cocallaw]

Description

Related Issue

Fixes #24

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test updates

Changes Made

This pull request enhances the security of the Invoke-AzPagedRequest function by validating the nextLink URLs during pagination. The main improvement is to ensure that only trusted hosts over HTTPS are followed, preventing potential security risks from untrusted pagination links.

Security improvements to pagination:

• Added an $allowedHosts list (currently allowing only "management.azure.com") to restrict which hosts can be followed in paginated responses.
• Implemented a check to ensure that any nextLink URL uses the HTTPS scheme and its host is in the $allowedHosts list; if not, an error is logged and pagination stops.
• Updated logic to set $nextUri to $null when there is no nextLink, ensuring proper termination of pagination.

Testing

• Tested with Azure CLI authentication
• Tested with Az.Accounts authentication
• Tested across multiple subscriptions
• Added/updated unit tests
• All existing tests pass

Checklist

• My code follows the existing code style
• I have performed a self-review of my code
• I have commented my code where necessary
• I have updated the documentation (README, function help, etc.)
• My changes generate no new warnings or errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally
• I have checked for any breaking changes

Additional Notes

[Copilot]

Pull request overview

Improves the security posture of Invoke-AzPagedRequest by validating nextLink pagination URLs before following them, reducing the risk of forwarding ARM bearer tokens to untrusted endpoints.

Changes:

• Introduces an allowlist of trusted hosts for pagination (management.azure.com).
• Validates that nextLink uses https and an allowed host; otherwise stops pagination.
• Ensures pagination terminates cleanly by setting $nextUri = $null when nextLink is absent.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.