public void ValidateRedirect_EnabledAndRelativeRedirectWithQueryString_NoException()
{
const int statusCode = 302;
const string location = "/Some/Interesting/Content?foo=bar";
var config = new RedirectValidationConfiguration { Enabled = true };
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
public void ValidateRedirect_EnabledAndAbsoluteRedirectToSameSite_NoException()
{
const int statusCode = 302;
const string location = "https://www.nwebsec.com/Something/Worth/Seeing";
var config = new RedirectValidationConfiguration { Enabled = true };
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
public void ValidateRedirect_EnabledAndRedirect_ThrowsException()
{
const int statusCode = 302;
const string location = "http://evilsite.com";
var config = new RedirectValidationConfiguration { Enabled = true };
Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
public void ValidateRedirect_DisabledAndRedirect_NoException()
{
const int statusCode = 302;
const string location = "http://evilsite.com";
var config = new RedirectValidationConfiguration { Enabled = false };
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
public void ValidateRedirect_EnabledAndNoRedirect_NoException()
{
var config = new RedirectValidationConfiguration { Enabled = true };
foreach (var statusCode in new[] { 200, 304, 401, 403, 404, 500 })
{
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "", RequestUriHttps, config));
}
}
public void ValidateRedirect_EnabledAndAbsoluteRedirectToWhiteListedSite_NoException()
{
const int statusCode = 302;
const string location = "https://www.expectedsite.com";
var config = new RedirectValidationConfiguration
{
Enabled = true,
AllowedUris = new[] { new Uri("https://www.expectedsite.com").AbsoluteUri }
};
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
public void ValidateRedirect_SamehostToHttpsOtherThanConfiguredCustomPortsIncluding443_ThrowsException()
{
const int statusCode = 302;
var config = new RedirectValidationConfiguration
{
Enabled = true,
SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration { Enabled = true, Ports = new[] { 4567, 443 } }
};
Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:9999/", RequestUriHttp, config));
}
public void ValidateRedirect_SamehostToHttpsOnConfiguredCustomPorts_NoException()
{
const int statusCode = 302;
var config = new RedirectValidationConfiguration
{
Enabled = true,
SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration { Enabled = true, Ports = new[] { 4567, 8989 } }
};
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:4567/", RequestUriHttp, config));
Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:8989/", RequestUriHttp, config));
}
public void ValidateRedirect_EnabledAndAbsoluteRedirectAcrossPort_ThrowsException()
{
const int statusCode = 302;
const string location = "https://www.nwebsec.com:81/";
var requestUriWithPort = new Uri("https://www.nwebsec.com:88/");
var config = new RedirectValidationConfiguration
{
Enabled = true,
AllowedUris = new[] { new Uri("https://www.expectedsite.com").AbsoluteUri }
};
Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, requestUriWithPort, config));
}
public void ValidateRedirect_EnabledAndAbsoluteRedirectToParentPathWithQueryString_ThrowsException()
{
const int statusCode = 302;
const string location = "https://www.expectedsite.com/?foo=bar";
var config = new RedirectValidationConfiguration
{
Enabled = true,
AllowedUris = new[] { new Uri("https://www.expectedsite.com/Kittens").AbsoluteUri }
};
Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config));
}
