Example #1
0
        private static Dictionary <string, string> GetCurrentHttpHeaders(WhiteListedHeaders whiteListedHeaders)
        {
            Dictionary <string, string> httpHeaders =
                whiteListedHeaders != null
                    ? whiteListedHeaders?.CurrentHttpHeaders
                    : new Dictionary <string, string>();

            return(httpHeaders);
        }
Example #2
0
        private static IEnumerable <string> GetCurrentDisallowedHeaders(WhiteListedHeaders whiteListedHeaders, Dictionary <string, string> httpHeaders)
        {
            var disallowedHeaders =
                from header in whiteListedHeaders?.AllowedHttpHeaders
                where httpHeaders.All(x => x.Key != httpHeaders.ToString())
                select header;

            return(disallowedHeaders);
        }
Example #3
0
        private static Dictionary <string, string> GetCurrentAllowedHttpHeaders(WhiteListedHeaders whiteListedHeaders, Dictionary <string, string> httpHeaders)
        {
            var q = (from allowedHttpHeaders in whiteListedHeaders?.AllowedHttpHeaders
                     join currentHttpHeaders in httpHeaders on allowedHttpHeaders equals currentHttpHeaders.Key
                     orderby currentHttpHeaders.Key
                     select new
            {
                currentHttpHeaders.Key,
                currentHttpHeaders.Value
            }).ToDictionary(x => x.Key, y => y.Value);

            return(q);
        }
Example #4
0
        /// <summary>
        ///  Verifies the header content and validates data.
        /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
        /// Throws application exception if diagnostics find that header data is not valid.
        /// </summary>
        /// <param name="whiteListedHeaders">Known HTTP headers to be bypassed in validation.</param>
        /// <param name="options">Configuration of the task</param>
        /// <param name="cancellationToken"></param>
        /// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns>
        public static SecurityThreatDiagnosticsResult ChallengeSecurityHeaders(
            [PropertyTab] WhiteListedHeaders whiteListedHeaders,
            [PropertyTab] Options options,
            CancellationToken cancellationToken)
        {
            cancellationToken.ThrowIfCancellationRequested();
            Dictionary <string, string> dictionary = new Dictionary <string, string>();
            ConcurrentDictionary <string, SecurityRuleFilter> ruleDictionary = SecurityFilterReader.Instance;

            StringBuilder validationChallengeMessage = new StringBuilder();

            validationChallengeMessage
            .Append("HTTP headers challenged for input validation ");

            StringBuilder innerExceptionMessage = new StringBuilder();

            innerExceptionMessage
            .Append("HTTP headers challenged for input validation, \n");

            var httpHeaders = GetCurrentHttpHeaders(whiteListedHeaders);

            var allowedHttpHeaders = GetCurrentAllowedHttpHeaders(whiteListedHeaders, httpHeaders);

            var disAllowedHeaders = GetCurrentDisallowedHeaders(whiteListedHeaders, httpHeaders);

            foreach (var HttpHeaderPair in allowedHttpHeaders)
            {
                ChallengeHeaderValue(options, ruleDictionary, HttpHeaderPair, validationChallengeMessage, dictionary, innerExceptionMessage);
            }

            foreach (var nonViableHeader in disAllowedHeaders)
            {
                LogInvalidHeaderName(nonViableHeader);
            }

            if (disAllowedHeaders.ToList().Count > 0)
            {
                BuildHierarchicalExceptionMessage(innerExceptionMessage, disAllowedHeaders, validationChallengeMessage);
            }

            var securityThreatDiagnosticsResult = BuildResponseMessage();

            return(securityThreatDiagnosticsResult);
        }