protected override bool AfterForwardEvent(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
IContext top = args.PopContext();
Debug.Assert(top == this);
return base.AfterForwardEvent(handler, sender, args);
}
/// <summary>
/// After event is forwarded
/// </summary>
/// <param name="handler">Handler to which the event is forwarded</param>
/// <param name="sender">Who's sending the event</param>
/// <param name="args">Arguments</param>
/// <returns></returns>
/// <remarks>Override to be called after the event is forwarded</remarks>
protected virtual bool AfterForwardEvent(
EventHandler<RuntimeEventArgs> handler,
object sender,
RuntimeEventArgs args)
{
return false;
}
protected override bool ForwardEventFault(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
IContext top = args.PopContext();
Debug.Assert(top == this);
return base.ForwardEventFault(handler, sender, args, exp);
}
protected override bool BeforeForwardEvent(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
bool shouldContinue = !IsMatch(args);
if (!shouldContinue) {
args.PushContext(this);
}
return shouldContinue;
}
/// <summary>
/// Verify CSRF guard before page executes
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
void OnPreRequestHandlerExecute(object sender, RuntimeEventArgs e)
{
// Get current page
Page currentPage = (HttpContext.Current != null ?
HttpContext.Current.CurrentHandler as Page :
null);
if (currentPage != null) {
// Add CSRF guard when page initializes
currentPage.Init += new EventHandler((p, a) => Esapi.HttpUtilities.AddCsrfToken() );
}
}
/// <summary>
/// Check if the context is matched
/// </summary>
/// <param name="args"></param>
/// <returns></returns>
private bool IsMatch(RuntimeEventArgs args)
{
bool isMatch = true;
// Check context match cache first
if (args.MatchCache.TryGetValue(this, out isMatch))
{
return(isMatch);
}
// Initialize condition arguments
isMatch = true;
ConditionArgs conditionArgs = new ConditionArgs()
{
RuntimeArgs = args
};
// Evaluate each condition
foreach (IContextCondition contextCondition in _conditions)
{
bool result = true;
// Check condition eval cache first
if (!args.EvalCache.TryGetValue(contextCondition.Condition, out result))
{
// Eval
result = (contextCondition.Condition.Evaluate(conditionArgs) == contextCondition.Result);
args.EvalCache.SetValue(contextCondition.Condition, result);
}
// Shortcut match if false
if (!result)
{
isMatch = false;
break;
}
}
// Cache
args.MatchCache.SetValue(this, isMatch);
// Return
return(isMatch);
}
/// <summary>
/// Handle rule execution fault
/// </summary>
/// <param name="handler">
/// A <see cref="EventHandler<RuntimeEventArgs>"/>
/// </param>
/// <param name="sender">
/// A <see cref="System.Object"/>
/// </param>
/// <param name="args">
/// A <see cref="RuntimeEventArgs"/>
/// </param>
/// <param name="exp">
/// A <see cref="Exception"/>
/// </param>
/// <returns>
/// A <see cref="System.Boolean"/>
/// </returns>
protected override bool ForwardEventFault(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
// Init action args
ActionArgs actionArgs = new ActionArgs() {
FaultingRule = _rule,
FaultException = exp,
RuntimeArgs = args
};
try {
// Run each action
foreach (IAction action in _faultActions) {
action.Execute(actionArgs);
}
}
catch (Exception) {
// Nothing to do anymore, throw
throw;
}
return true;
}
/// <summary>
/// Check if the context is matched
/// </summary>
/// <param name="args"></param>
/// <returns></returns>
private bool IsMatch(RuntimeEventArgs args)
{
bool isMatch = true;
// Check context match cache first
if (args.MatchCache.TryGetValue(this, out isMatch)) {
return isMatch;
}
// Initialize condition arguments
isMatch = true;
ConditionArgs conditionArgs = new ConditionArgs() { RuntimeArgs = args };
// Evaluate each condition
foreach (IContextCondition contextCondition in _conditions) {
bool result = true;
// Check condition eval cache first
if (!args.EvalCache.TryGetValue(contextCondition.Condition, out result)) {
// Eval
result = (contextCondition.Condition.Evaluate(conditionArgs) == contextCondition.Result);
args.EvalCache.SetValue(contextCondition.Condition, result);
}
// Shortcut match if false
if (!result) {
isMatch = false;
break;
}
}
// Cache
args.MatchCache.SetValue(this, isMatch);
// Return
return isMatch;
}
/// <summary>
/// Bridge method - after handler exec
/// </summary>
/// <param name="sender"></param>
/// <param name="args"></param>
private void OnPostRequestHandlerExecute(object sender, RuntimeEventArgs args)
{
ForwardEvent(PostRequestHandlerExecute, sender, args);
}
protected override bool AfterForwardEvent(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
IContext top = args.PopContext();
Debug.Assert(top == this);
return(base.AfterForwardEvent(handler, sender, args));
}
protected override bool BeforeForwardEvent(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
bool shouldContinue = !IsMatch(args);
if (!shouldContinue)
{
args.PushContext(this);
}
return(shouldContinue);
}
/// <summary>
/// Verify request rate
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
void OnPreRequestHandlerExecute(object sender, RuntimeEventArgs e)
{
HttpSessionState session = (HttpContext.Current != null ? HttpContext.Current.Session : null);
// No session initialized yet
if (session == null) {
return;
}
// Get current and history requests
List<DateTime> requestHistory = GetRequestHistory(session);
Debug.Assert(requestHistory != null);
DateTime currentTimestamp = DateTime.Now;
// Lookup first in timespan
int pos = -1;
for (int i = 0; i < requestHistory.Count; ++i) {
DateTime hit = requestHistory[i];
if (currentTimestamp - hit <= _timespan) {
pos = i;
break;
}
}
// Add current
requestHistory.Add(currentTimestamp);
// Check & cleanup
if (pos != -1) {
// Remove expired records
for (int i = 0; i < pos; ++i) {
requestHistory.RemoveAt(0);
}
// Check interval
if (requestHistory.Count >= _maxCount) {
throw new IntrusionException(EM.RequestThrottleRule_MaximumExceeded, EM.RequestThrottleRule_MaximumExceeded);
}
}
}
protected override bool ForwardEventFault(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
IContext top = args.PopContext();
Debug.Assert(top == this);
return(base.ForwardEventFault(handler, sender, args, exp));
}
/// <summary>
/// Forward event
/// </summary>
/// <param name="handler"></param>
/// <param name="sender"></param>
/// <param name="args"></param>
private void ForwardEvent(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
if (handler != null)
{
try {
if (BeforeForwardEvent(handler, sender, args))
{
return;
}
handler(sender, args);
if (AfterForwardEvent(handler, sender, args))
{
return;
}
}
catch (Exception exp) {
if (!ForwardEventFault(handler, sender, args, exp))
{
throw;
}
}
}
}
/// <summary>
/// Add clickjack headers
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
void OnPostRequestHandlerExecute(object sender, RuntimeEventArgs e)
{
// Get response
HttpResponse response = (HttpContext.Current != null ? HttpContext.Current.Response : null);
if (response == null) {
throw new InvalidOperationException();
}
// Add clickjack protection
switch (_mode) {
case FramingModeType.Deny:
response.AddHeader(HeaderName, DenyValue);
break;
case FramingModeType.Sameorigin:
response.AddHeader(HeaderName, SameoriginValue);
break;
default:
throw new ArgumentOutOfRangeException();
}
}
/// <summary>
/// After event is forwarded
/// </summary>
/// <param name="handler">Handler to which the event is forwarded</param>
/// <param name="sender">Who's sending the event</param>
/// <param name="args">Arguments</param>
/// <returns></returns>
/// <remarks>Override to be called after the event is forwarded</remarks>
protected virtual bool AfterForwardEvent(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
return(false);
}
/// <summary>
/// Event forward operation failed (exception thrown)
/// </summary>
/// <param name="handler">Handler to which the event is forwarded</param>
/// <param name="sender">Who's sending the event</param>
/// <param name="args">Arguments</param>
/// <param name="exp">Exception thrown</param>
/// <returns>True is fault handled, false otherwise</returns>
/// <remarks>Override to process forward exceptions</remarks>
protected virtual bool ForwardEventFault(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
return(false);
}
/// <summary>
/// Handle rule execution fault
/// </summary>
/// <param name="handler">
/// A <see cref="EventHandler<RuntimeEventArgs>"/>
/// </param>
/// <param name="sender">
/// A <see cref="System.Object"/>
/// </param>
/// <param name="args">
/// A <see cref="RuntimeEventArgs"/>
/// </param>
/// <param name="exp">
/// A <see cref="Exception"/>
/// </param>
/// <returns>
/// A <see cref="System.Boolean"/>
/// </returns>
protected override bool ForwardEventFault(EventHandler <RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
// Init action args
ActionArgs actionArgs = new ActionArgs()
{
FaultingRule = _rule,
FaultException = exp,
RuntimeArgs = args
};
try {
// Run each action
foreach (IAction action in _faultActions)
{
action.Execute(actionArgs);
}
}
catch (Exception) {
// Nothing to do anymore, throw
throw;
}
return(true);
}
/// <summary>
/// Bridge method - before handler exec
/// </summary>
/// <param name="sender"></param>
/// <param name="args"></param>
private void OnPreRequestHandlerExecute(object sender, RuntimeEventArgs args)
{
this.ForwardEvent(this.PreRequestHandlerExecute, sender, args);
}
/// <summary>
/// Forward event
/// </summary>
/// <param name="handler"></param>
/// <param name="sender"></param>
/// <param name="args"></param>
private void ForwardEvent(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args)
{
if (handler != null) {
try {
if (BeforeForwardEvent(handler, sender, args)) {
return;
}
handler(sender, args);
if (AfterForwardEvent(handler, sender, args)) {
return;
}
}
catch (Exception exp) {
if (!ForwardEventFault(handler, sender, args, exp)) {
throw;
}
}
}
}
/// <summary>
/// Event forward operation failed (exception thrown)
/// </summary>
/// <param name="handler">Handler to which the event is forwarded</param>
/// <param name="sender">Who's sending the event</param>
/// <param name="args">Arguments</param>
/// <param name="exp">Exception thrown</param>
/// <returns>True is fault handled, false otherwise</returns>
/// <remarks>Override to process forward exceptions</remarks>
protected virtual bool ForwardEventFault(EventHandler<RuntimeEventArgs> handler, object sender, RuntimeEventArgs args, Exception exp)
{
return false;
}
/// <summary>
/// Bridge method - after handler exec
/// </summary>
/// <param name="sender"></param>
/// <param name="args"></param>
private void OnPostRequestHandlerExecute(object sender, RuntimeEventArgs args)
{
ForwardEvent(PostRequestHandlerExecute, sender, args);
}