Exemple #1
0
 protected override void ValidateRequestInternal(RequestStub request, ValidateRequestResult <RequestStub> validateRequestResult)
 {
     if (_failValidateRequest)
     {
         validateRequestResult.AddArgumentError(req => req.SomeValue, new ArgumentErrorStub());
     }
 }
Exemple #2
0
        private string BuildLogMessage(string ip, ValidateRequestResult validateRequestResult)
        {
            StringBuilder message = new StringBuilder();

            message.AppendFormat("Detected xss vulnerability. Time: {0}, IP:{1}, Request Part: {2}",
                                 DateTime.Now.ToString(CultureInfo.InvariantCulture), ip,
                                 validateRequestResult.DiseasedRequestPart);

            return(message.ToString());
        }
		protected override void ValidateRequestInternal(AddressGetByIdRequest request, ValidateRequestResult<AddressGetByIdRequest> validateRequestResult)
		{
			if (validateRequestResult.NoErrorsForArgument(req => request.Id))
			{
				var result = _addressValidator.ValidateId(request.Id);

				if (!result.IsValid)
					validateRequestResult.AddArgumentError(req => req.Id, result.ArgumentError);
			}
		}
Exemple #4
0
        protected override void ValidateRequestInternal(StoreUpdateRequest request, ValidateRequestResult <StoreUpdateRequest> validateRequestResult)
        {
            if (validateRequestResult.NoErrorsForArgument(req => request.StoreId))
            {
                var result = _storeValidator.ValidateId(request.StoreId);

                if (!result.IsValid)
                {
                    validateRequestResult.AddArgumentError(req => req.StoreId, result.ArgumentError);
                }
            }
        }
        public async Task Invoke(HttpContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            string fileExtension = RouteFileExtension(context);

            if (!String.IsNullOrEmpty(fileExtension) && _staticFileExtensions.Contains($"{fileExtension};"))
            {
                await _next(context);

                return;
            }

            string route = RouteLowered(context);

            using (StopWatchTimer stopwatchTimer = StopWatchTimer.Initialise(_timings))
            {
                bool validateFormInput = false;

                foreach (ManagedRoute restrictedRoute in _managedRoutes)
                {
                    if (restrictedRoute.ValidateFormFields && restrictedRoute.Route.StartsWith(route))
                    {
                        validateFormInput = true;
                        break;
                    }
                }

                ValidateRequestResult validateResult = _validateConnections.ValidateRequest(context.Request, validateFormInput, out int _);

                if (!validateResult.HasFlag(ValidateRequestResult.IpWhiteListed))
                {
                    if (validateResult.HasFlag(ValidateRequestResult.IpBlackListed))
                    {
                        context.Response.StatusCode = _badEggSettings.BannedResponseCode;
                        return;
                    }
                    else if (validateResult.HasFlag(ValidateRequestResult.TooManyRequests))
                    {
                        _notificationService.RaiseEvent(nameof(ValidateRequestResult.TooManyRequests), GetIpAddress(context));
                        context.Response.StatusCode = _badEggSettings.TooManyRequestResponseCode;
                        return;
                    }
                }
            }

            await _next(context);
        }
Exemple #6
0
        private void ValidateRequest(TRequest request, ValidateRequestResult <TRequest> validateRequestResult)
        {
            var dtoValidator = _dtoValidatorFactory.TryCreate <TRequest>();

            if (dtoValidator != null)
            {
                var dtoValidatorResult = dtoValidator.Validate(request);
                if (!dtoValidatorResult.IsValid)
                {
                    validateRequestResult.ArgumentErrors.AddRange(dtoValidatorResult.ArgumentErrors);
                }
            }

            ValidateRequestInternal(request, validateRequestResult);
        }
Exemple #7
0
        public void Attach(HttpApplication httpApplication)
        {
            HttpRequest request = httpApplication.Request;

            ValidateRequestResult validateRequestResult = _xssGuard.HasVulnerability(request);

            if (validateRequestResult.IsValid)
            {
                return;
            }

            if (_configuration.Log.Equals(bool.TrueString))
            {
                LogXssWarning(request, validateRequestResult);
            }

            ProcessInternal(request, httpApplication.Response);
        }
Exemple #8
0
        public ValidateCommandResult Validate(TRequest request)
        {
            var validateRequestResult = new ValidateRequestResult <TRequest>();

            ValidateRequest(request, validateRequestResult);

            if (!validateRequestResult.IsValid)
            {
                return(ValidateCommandResult.Invalid(new InvalidArgumentsResponseError(validateRequestResult.ArgumentErrors)));
            }


            var validateOperationResult = ValidateOperation(request);

            if (!validateOperationResult.IsValid)
            {
                return(ValidateCommandResult.Invalid(validateOperationResult.ResponseError));
            }

            return(ValidateCommandResult.Valid());
        }
Exemple #9
0
        public ValidateRequestResult HasVulnerability(HttpRequest request)
        {
            if (string.IsNullOrWhiteSpace(_configuration.ControlRegex))
            {
                _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
            }
            else
            {
                try
                {
                    _xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase);
                }
                catch
                {
                    _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
                }
            }

            ValidateRequestResult result = new ValidateRequestResult
            {
                IsValid             = true,
                DiseasedRequestPart = DiseasedRequestPart.None
            };

            if (request != null)
            {
                string queryString = request.QueryString.ToString();

                if (!string.IsNullOrEmpty(queryString) && _regexHelper.ExecFor(_xssDetectionRegex, queryString))
                {
                    result.IsValid             = false;
                    result.DiseasedRequestPart = DiseasedRequestPart.QueryString;
                }

                if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase))
                {
                    string formPostValues;

                    try
                    {
                        formPostValues = request.Form.ToString();
                    }
                    catch (Exception ex)
                    {
                        if (_configuration.Log.Equals(bool.TrueString))
                        {
                            string message = $@"Request.Form getter called, Method :{MethodBase.GetCurrentMethod().Name}, Requested Page: {request.Url}";
                            _logger.Error(message, ex);
                        }

                        throw;
                    }


                    if (!string.IsNullOrEmpty(formPostValues) && _regexHelper.ExecFor(_xssDetectionRegex, formPostValues))
                    {
                        result.IsValid             = false;
                        result.DiseasedRequestPart = DiseasedRequestPart.Form;
                    }
                }
            }

            return(result);
        }
Exemple #10
0
        private void LogXssWarning(HttpRequest request, ValidateRequestResult validateRequestResult)
        {
            string ipInformation = _ipAdressHelper.GetIpInformation(request);

            _logger.Warn(BuildLogMessage(ipInformation, validateRequestResult));
        }
Exemple #11
0
 protected virtual void ValidateRequestInternal(TRequest request, ValidateRequestResult <TRequest> validateRequestResult)
 {
 }
Exemple #12
0
        protected override void ValidateRequestInternal(ProductCreateRequest request, ValidateRequestResult <ProductCreateRequest> validateRequestResult)
        {
            if (validateRequestResult.NoErrorsForArgument(req => request.Product.StoreId))
            {
                var result = _storeValidator.ValidateId(request.Product.StoreId);

                if (!result.IsValid)
                {
                    validateRequestResult.AddArgumentError(req => req.Product.StoreId, result.ArgumentError);
                }
            }

            if (validateRequestResult.NoErrorsForArgument(req => req.Product.Name) &&
                validateRequestResult.NoErrorsForArgument(req => request.Product.StoreId))
            {
                var result = _productValidator.NameMustBeUnique(request.Product.Name, request.Product.StoreId);

                if (!result.IsValid)
                {
                    validateRequestResult.AddArgumentError(req => req.Product.Name, result.ArgumentError);
                }
            }
        }