Skip to content

.Net: Add server URL validation options for OpenAPI plugins#13631

Open
SergeyMenshykh wants to merge 3 commits intomicrosoft:mainfrom
SergeyMenshykh:add-server-url-validation
Open

.Net: Add server URL validation options for OpenAPI plugins#13631
SergeyMenshykh wants to merge 3 commits intomicrosoft:mainfrom
SergeyMenshykh:add-server-url-validation

Conversation

@SergeyMenshykh
Copy link
Member

@SergeyMenshykh SergeyMenshykh commented Mar 4, 2026
edited
Loading

Motivation and Context

When loading OpenAPI specifications, the SDK uses the servers[].url field to construct HTTP request targets. This PR adds an opt-in mechanism for consumers to validate and restrict which URLs the OpenAPI plugin is allowed to call at runtime.

Description

Introduces RestApiOperationServerUrlValidationOptions, a new options class that can be configured via OpenApiFunctionExecutionParameters.ServerUrlValidationOptions to control outbound request targets:

  • AllowedSchemes (IReadOnlyList\<string\>?) — restricts which URI schemes are permitted. When null/empty, defaults to https only.
  • AllowedBaseUrls (IReadOnlyList\<Uri\>?) — restricts requests to URLs matching one of the specified base URL prefixes. When null, no base URL restriction is applied.

Validation is performed in RestApiOperationRunner before any HTTP request is sent. When ServerUrlValidationOptions is not set (default), behavior is unchanged — no validation is performed.

Changes

  • New class: RestApiOperationServerUrlValidationOptions
  • OpenApiFunctionExecutionParameters: added ServerUrlValidationOptions property ([Experimental("SKEXP0040")])
  • RestApiOperationRunner: added ValidateUrl() with scheme and base URL checks
  • OpenApiKernelPluginFactory: wires validation options through to the runner
  • 7 new unit tests covering scheme blocking, base URL allowlisting, and mixed configurations

Usage Example

var plugin = await kernel.ImportPluginFromOpenApiAsync(
    pluginName: "myApi",
    filePath: specPath,
    executionParameters: new OpenApiFunctionExecutionParameters
    {
        ServerUrlValidationOptions = new RestApiOperationServerUrlValidationOptions
        {
            AllowedBaseUrls = [new Uri("https://api.example.com")],
            AllowedSchemes = ["https"]
        }
    });

Contribution Checklist

@SergeyMenshykh SergeyMenshykh requested a review from a team as a code owner March 4, 2026 12:09
@moonbox3 moonbox3 added the .NET Issue or Pull requests regarding .NET code label Mar 4, 2026
@SergeyMenshykh
Fix UTF-8 BOM encoding in RestApiOperationRunnerTests.cs
ada8acb 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SergeyMenshykh SergeyMenshykh self-assigned this Mar 4, 2026
@SergeyMenshykh SergeyMenshykh enabled auto-merge March 4, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@westey-m westey-m westey-m approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@SergeyMenshykh SergeyMenshykh

Labels

.NET Issue or Pull requests regarding .NET code

Projects

Semantic Kernel
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SergeyMenshykh @westey-m @moonbox3