private static Dictionary <string, string> GetCurrentHttpHeaders(WhiteListedHeaders whiteListedHeaders)
{
Dictionary <string, string> httpHeaders =
whiteListedHeaders != null
? whiteListedHeaders?.CurrentHttpHeaders
: new Dictionary <string, string>();
return(httpHeaders);
}
private static IEnumerable <string> GetCurrentDisallowedHeaders(WhiteListedHeaders whiteListedHeaders, Dictionary <string, string> httpHeaders)
{
var disallowedHeaders =
from header in whiteListedHeaders?.AllowedHttpHeaders
where httpHeaders.All(x => x.Key != httpHeaders.ToString())
select header;
return(disallowedHeaders);
}
private static Dictionary <string, string> GetCurrentAllowedHttpHeaders(WhiteListedHeaders whiteListedHeaders, Dictionary <string, string> httpHeaders)
{
var q = (from allowedHttpHeaders in whiteListedHeaders?.AllowedHttpHeaders
join currentHttpHeaders in httpHeaders on allowedHttpHeaders equals currentHttpHeaders.Key
orderby currentHttpHeaders.Key
select new
{
currentHttpHeaders.Key,
currentHttpHeaders.Value
}).ToDictionary(x => x.Key, y => y.Value);
return(q);
}
/// <summary>
/// Verifies the header content and validates data.
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find that header data is not valid.
/// </summary>
/// <param name="whiteListedHeaders">Known HTTP headers to be bypassed in validation.</param>
/// <param name="options">Configuration of the task</param>
/// <param name="cancellationToken"></param>
/// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns>
public static SecurityThreatDiagnosticsResult ChallengeSecurityHeaders(
[PropertyTab] WhiteListedHeaders whiteListedHeaders,
[PropertyTab] Options options,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
Dictionary <string, string> dictionary = new Dictionary <string, string>();
ConcurrentDictionary <string, SecurityRuleFilter> ruleDictionary = SecurityFilterReader.Instance;
StringBuilder validationChallengeMessage = new StringBuilder();
validationChallengeMessage
.Append("HTTP headers challenged for input validation ");
StringBuilder innerExceptionMessage = new StringBuilder();
innerExceptionMessage
.Append("HTTP headers challenged for input validation, \n");
var httpHeaders = GetCurrentHttpHeaders(whiteListedHeaders);
var allowedHttpHeaders = GetCurrentAllowedHttpHeaders(whiteListedHeaders, httpHeaders);
var disAllowedHeaders = GetCurrentDisallowedHeaders(whiteListedHeaders, httpHeaders);
foreach (var HttpHeaderPair in allowedHttpHeaders)
{
ChallengeHeaderValue(options, ruleDictionary, HttpHeaderPair, validationChallengeMessage, dictionary, innerExceptionMessage);
}
foreach (var nonViableHeader in disAllowedHeaders)
{
LogInvalidHeaderName(nonViableHeader);
}
if (disAllowedHeaders.ToList().Count > 0)
{
BuildHierarchicalExceptionMessage(innerExceptionMessage, disAllowedHeaders, validationChallengeMessage);
}
var securityThreatDiagnosticsResult = BuildResponseMessage();
return(securityThreatDiagnosticsResult);
}
