public override string SanitizeTextBody(string contentType, string body) { JToken jsonO; // Prevent default behavior where JSON.NET will convert DateTimeOffset // into a DateTime. if (!LegacyConvertJsonDateTokens) { jsonO = JsonConvert.DeserializeObject <JToken>(body, SerializerSettings); } else { jsonO = JToken.Parse(body); } foreach (JToken token in jsonO.SelectTokens(_jsonPath)) { // HasValues is false for tokens with children. We will not apply sanitization if that is the case. if (!token.HasValues) { var replacement = StringSanitizer.SanitizeValue(token.Value <string>(), _newValue, _regexValue, _groupForReplace); // this sanitizer should only apply to actual values // if we attempt to apply a regex update to a jtoken that has a more complex type, throw token.Replace(JToken.FromObject(replacement)); } } return(JsonConvert.SerializeObject(jsonO, SerializerSettings)); }
// Token: 0x06000D83 RID: 3459 RVA: 0x0005A178 File Offset: 0x00058378 private OwaContext(HttpContext httpContext) { this.httpContext = httpContext; this.FormsRegistryContext = new FormsRegistryContext(ApplicationElement.NotSet, null, null, null); string pathAndQuery = this.GetModifiedUri().PathAndQuery; this.latencyDetectionContext = OwaContext.OwaLatencyDetectionContextFactory.CreateContext(Globals.ApplicationVersion, pathAndQuery, new IPerformanceDataProvider[] { PerformanceContext.Current, RpcDataProvider.Instance, MemoryDataProvider.Instance }); if (Globals.CollectPerRequestPerformanceStats) { this.owaPerformanceData = new OwaPerformanceData(httpContext.Request); } if (!StringSanitizer <OwaHtml> .TrustedStringsInitialized) { string location = Assembly.GetExecutingAssembly().Location; StringSanitizer <OwaHtml> .InitializeTrustedStrings(new string[] { location }); } }
/// <summary> /// This sanitizer offers regex replace within a returned body. Specifically, this means regex applying to the raw JSON. If you are attempting to simply /// replace a specific key, the BodyKeySanitizer is probably the way to go. Regardless, there are examples present in SanitizerTests.cs. /// to /// </summary> /// <param name="value">The substitution value.</param> /// <param name="regex">A regex. Can be defined as a simple regex replace OR if groupForReplace is set, a subsitution operation.</param> /// <param name="groupForReplace">The capture group that needs to be operated upon. Do not set if you're invoking a simple replacement operation.</param> /// <param name="condition"> /// A condition that dictates when this sanitizer applies to a request/response pair. The content of this key should be a JSON object that contains configuration keys. /// Currently, that only includes the key "uriRegex". This translates to an object that looks like '{ "uriRegex": "when this regex matches, apply the sanitizer" }'. Defaults to "apply always." /// </param> public BodyRegexSanitizer(string value = "Sanitized", string regex = null, string groupForReplace = null, ApplyCondition condition = null) { _newValue = value; _regexValue = regex; _groupForReplace = groupForReplace; Condition = condition; StringSanitizer.ConfirmValidRegex(regex); }
// Token: 0x06001C4E RID: 7246 RVA: 0x000A25B4 File Offset: 0x000A07B4 public static SanitizedHtmlString Format(IFormatProvider provider, string format, params object[] args) { SanitizedHtmlString sanitizedHtmlString = new SanitizedHtmlString(); sanitizedHtmlString.UntrustedValue = StringSanitizer <OwaHtml> .SanitizeFormat(provider, format, args); sanitizedHtmlString.DecreeToBeTrusted(); return(sanitizedHtmlString); }
// Token: 0x06001C4D RID: 7245 RVA: 0x000A2588 File Offset: 0x000A0788 public static SanitizedHtmlString Format(string format, params object[] args) { SanitizedHtmlString sanitizedHtmlString = new SanitizedHtmlString(); sanitizedHtmlString.UntrustedValue = StringSanitizer <OwaHtml> .SanitizeFormat(CultureInfo.InvariantCulture, format, args); sanitizedHtmlString.DecreeToBeTrusted(); return(sanitizedHtmlString); }
/// <summary> /// This sanitizer offers regex update of a specific JTokenPath. EG: "TableName" within a json response body having its value replaced by /// whatever substitution is offered. This simply means that if you are attempting to replace a specific key wholesale, this sanitizer will be /// simpler than configuring a BodyRegexSanitizer that has to match against the full "KeyName": "Value" that is part of the json structure. Further reading is available /// <a href="https://www.newtonsoft.com/json/help/html/SelectToken.htm#SelectTokenJSONPath">here.</a> If the body is NOT a JSON object, this sanitizer will NOT be applied. /// </summary> /// <param name="jsonPath">The SelectToken path (which could possibly match multiple entries) that will be used to select JTokens for value replacement.</param> /// <param name="value">The substitution value.</param> /// <param name="regex">A regex. Can be defined as a simple regex replace OR if groupForReplace is set, a subsitution operation. Defaults to replacing the entire string.</param> /// <param name="groupForReplace">The regex capture group that needs to be operated upon. Do not set if you're invoking a simple replacement operation.</param> /// <param name="condition"> /// A condition that dictates when this sanitizer applies to a request/response pair. The content of this key should be a JSON object that contains various configuration keys. /// Currently, that only includes the key "uriRegex". This translates to an object that looks like '{ "uriRegex": "when this regex matches, apply the sanitizer" }'. Defaults to "apply always." /// </param> public BodyKeySanitizer(string jsonPath, string value = "Sanitized", string regex = ".+", string groupForReplace = null, ApplyCondition condition = null) { _jsonPath = jsonPath; _newValue = value; _regexValue = regex; _groupForReplace = groupForReplace; Condition = condition; StringSanitizer.ConfirmValidRegex(regex); }
/// <summary> /// Can be used for multiple purposes: /// 1) To replace a key with a specific value, do not set "regex" value. /// 2) To do a simple regex replace operation, define arguments "key", "value", and "regex" /// 3) To do a targeted substitution of a specific group, define all arguments "key", "value", and "regex" /// </summary> /// <param name="key">The name of the header we're operating against.</param> /// <param name="value">The substitution or whole new header value, depending on "regex" setting.</param> /// <param name="regex">A regex. Can be defined as a simple regex replace OR if groupForReplace is set, a subsitution operation.</param> /// <param name="groupForReplace">The capture group that needs to be operated upon. Do not set if you're invoking a simple replacement operation.</param> /// <param name="condition"> /// A condition that dictates when this sanitizer applies to a request/response pair. The content of this key should be a JSON object that contains configuration keys. /// Currently, that only includes the key "uriRegex". This translates to an object that looks like '{ "uriRegex": "when this regex matches, apply the sanitizer" }'. Defaults to "apply always." /// </param> public HeaderRegexSanitizer(string key, string value = "Sanitized", string regex = ".+", string groupForReplace = null, ApplyCondition condition = null) { _targetKey = key; _newValue = value; _regexValue = regex; _groupForReplace = groupForReplace; Condition = condition; StringSanitizer.ConfirmValidRegex(regex); }
public override void SanitizeHeaders(IDictionary <string, string[]> headers) { if (headers.ContainsKey(_targetKey)) { var originalValue = headers[_targetKey][0]; var replacement = StringSanitizer.SanitizeValue(originalValue, _newValue, _regexValue, _groupForReplace); headers[_targetKey] = new string[] { replacement }; } }
/// <summary> /// This sanitizer offers a general regex replace across request/response Body, Headers, and URI. For the body, this means regex applying to the raw JSON. /// to /// </summary> /// <param name="value">The substitution value.</param> /// <param name="regex">A regex. Can be defined as a simple regex replace OR if groupForReplace is set, a subsitution operation.</param> /// <param name="groupForReplace">The capture group that needs to be operated upon. Do not set if you're invoking a simple replacement operation.</param> /// <param name="condition"> /// A condition that dictates when this sanitizer applies to a request/response pair. The content of this key should be a JSON object that contains configuration keys. /// Currently, that only includes the key "uriRegex". This translates to an object that looks like '{ "uriRegex": "when this regex matches, apply the sanitizer" }'. Defaults to "apply always." /// </param> public GeneralRegexSanitizer(string value = "Sanitized", string regex = ".+", string groupForReplace = null, ApplyCondition condition = null) { _newValue = value; _regexValue = regex; _groupForReplace = groupForReplace; Condition = condition; StringSanitizer.ConfirmValidRegex(regex); _bodySanitizer = new BodyRegexSanitizer(value, regex, groupForReplace); _uriSanitizer = new UriRegexSanitizer(value, regex, groupForReplace); }
public override string SanitizeTextBody(string contentType, string body) { bool sanitized = false; JToken jsonO; try { // Prevent default behavior where JSON.NET will convert DateTimeOffset // into a DateTime. if (!LegacyConvertJsonDateTokens) { jsonO = JsonConvert.DeserializeObject <JToken>(body, SerializerSettings); } else { jsonO = JToken.Parse(body); } } catch (JsonReaderException) { return(body); } foreach (JToken token in jsonO.SelectTokens(_jsonPath)) { // HasValues is false for tokens with children. We will not apply sanitization if that is the case. if (!token.HasValues) { var originalValue = token.Value <string>(); // regex replacement does not support null if (originalValue == null) { continue; } var replacement = StringSanitizer.SanitizeValue(originalValue, _newValue, _regexValue, _groupForReplace); // this sanitizer should only apply to actual values // if we attempt to apply a regex update to a jtoken that has a more complex type, throw token.Replace(JToken.FromObject(replacement)); if (originalValue != replacement) { sanitized = true; } } } return(sanitized ? JsonConvert.SerializeObject(jsonO, SerializerSettings) : body); }
public override void SanitizeHeaders(IDictionary <string, string[]> headers) { if (headers.ContainsKey(_targetKey)) { // Accessing 0th key safe due to the fact that we force header values in without splitting them on ;. // We do this because letting .NET split and then reassemble header values introduces a space into the header itself // Ex: "application/json;odata=minimalmetadata" with .NET default header parsing becomes "application/json; odata=minimalmetadata" // Given this breaks signature verification, we have to avoid it. var originalValue = headers[_targetKey][0]; var replacement = StringSanitizer.SanitizeValue(originalValue, _newValue, _regexValue, _groupForReplace); headers[_targetKey] = new string[] { replacement }; } }
public override void SanitizeHeaders(IDictionary <string, string[]> headers) { foreach (var headerKey in headers.Keys) { // Accessing 0th key safe due to the fact that we force header values in without splitting them on ;. // We do this because letting .NET split and then reassemble header values introduces a space into the header itself // Ex: "application/json;odata=minimalmetadata" with .NET default header parsing becomes "application/json; odata=minimalmetadata" // Given this breaks signature verification, we have to avoid it. var originalValue = headers[headerKey][0]; var replacement = StringSanitizer.ReplaceValue(inputValue: originalValue, targetValue: _targetValue, replacementValue: _newValue); headers[headerKey][0] = replacement; } }
/// <summary> /// Fetches a list of github users from either the api or in the memory cache /// </summary> /// <param name="model">list of string username</param> /// <returns>response object</returns> public async Task <ResponseObject> GetGitHubUsers(string model) { var response = new ResponseObject(ResponseType.Success, string.Empty); List <string> stringListModel = DataTypeConverter.ConvertStringToList(model); var gitHubUserList = new List <GitHubUsersDto>(); stringListModel = StringSanitizer.SanitizeStringListByGitHubPolicy(stringListModel); var modelValuesCount = ValidateArrayString(stringListModel); if (!modelValuesCount.IsSuccess) { return(modelValuesCount); } int numberOfCachedRecords = 0; int numberOfRecordsNotFound = 0; foreach (var item in stringListModel) { if (stringListModel.Any()) { var sanitizedString = StringSanitizer.ToLowerAndTrim(item); var gitHubUserDto = new GitHubUsersDto(); var fetchDataFromGithub = await FetchDataByUserName(sanitizedString); if (fetchDataFromGithub.IsSuccess) { gitHubUserDto = _mapper.Map <GitHubUsersDto>(fetchDataFromGithub.Data); _inMemoryWorkerService.StoreDataInMemory(gitHubUserDto, StringSanitizer.ToLowerAndTrim(gitHubUserDto.Login)); gitHubUserList.Add(gitHubUserDto); } else if (fetchDataFromGithub.IsCached) { gitHubUserDto = _mapper.Map <GitHubUsersDto>(fetchDataFromGithub.Data); numberOfCachedRecords++; gitHubUserList.Add(gitHubUserDto); } else { numberOfRecordsNotFound++; } } } response.Data = gitHubUserList.OrderBy(x => x.Name); response.Message = numberOfCachedRecords + " out of " + modelValuesCount.Data + " is cached and " + numberOfRecordsNotFound + " record(s) were not found. Username that violates github policy were removed."; return(response); }
public override string SanitizeUri(string uri) { return(StringSanitizer.ReplaceValue(inputValue: uri, targetValue: _targetValue, replacementValue: _newValue)); }
public override string SanitizeTextBody(string contentType, string body) { return(StringSanitizer.SanitizeValue(body, _newValue, _regexValue, _groupForReplace)); }
public override byte[] SanitizeBody(string contentType, byte[] body) { return(Encoding.UTF8.GetBytes(StringSanitizer.ReplaceValue(inputValue: Encoding.UTF8.GetString(body), targetValue: _targetValue, replacementValue: _newValue))); }
public override string SanitizeTextBody(string contentType, string body) { return(StringSanitizer.ReplaceValue(inputValue: body, targetValue: _targetValue, replacementValue: _newValue)); }
public override byte[] SanitizeBody(string contentType, byte[] body) { return(Encoding.UTF8.GetBytes(StringSanitizer.SanitizeValue(Encoding.UTF8.GetString(body), _newValue, _regexValue, _groupForReplace))); }
public override string SanitizeUri(string uri) { return(StringSanitizer.SanitizeValue(uri, _newValue, _regexValue, _groupForReplace)); }