protected override void ValidateRequestInternal(RequestStub request, ValidateRequestResult <RequestStub> validateRequestResult)
{
if (_failValidateRequest)
{
validateRequestResult.AddArgumentError(req => req.SomeValue, new ArgumentErrorStub());
}
}
private string BuildLogMessage(string ip, ValidateRequestResult validateRequestResult)
{
StringBuilder message = new StringBuilder();
message.AppendFormat("Detected xss vulnerability. Time: {0}, IP:{1}, Request Part: {2}",
DateTime.Now.ToString(CultureInfo.InvariantCulture), ip,
validateRequestResult.DiseasedRequestPart);
return(message.ToString());
}
protected override void ValidateRequestInternal(AddressGetByIdRequest request, ValidateRequestResult<AddressGetByIdRequest> validateRequestResult)
{
if (validateRequestResult.NoErrorsForArgument(req => request.Id))
{
var result = _addressValidator.ValidateId(request.Id);
if (!result.IsValid)
validateRequestResult.AddArgumentError(req => req.Id, result.ArgumentError);
}
}
protected override void ValidateRequestInternal(StoreUpdateRequest request, ValidateRequestResult <StoreUpdateRequest> validateRequestResult)
{
if (validateRequestResult.NoErrorsForArgument(req => request.StoreId))
{
var result = _storeValidator.ValidateId(request.StoreId);
if (!result.IsValid)
{
validateRequestResult.AddArgumentError(req => req.StoreId, result.ArgumentError);
}
}
}
public async Task Invoke(HttpContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
string fileExtension = RouteFileExtension(context);
if (!String.IsNullOrEmpty(fileExtension) && _staticFileExtensions.Contains($"{fileExtension};"))
{
await _next(context);
return;
}
string route = RouteLowered(context);
using (StopWatchTimer stopwatchTimer = StopWatchTimer.Initialise(_timings))
{
bool validateFormInput = false;
foreach (ManagedRoute restrictedRoute in _managedRoutes)
{
if (restrictedRoute.ValidateFormFields && restrictedRoute.Route.StartsWith(route))
{
validateFormInput = true;
break;
}
}
ValidateRequestResult validateResult = _validateConnections.ValidateRequest(context.Request, validateFormInput, out int _);
if (!validateResult.HasFlag(ValidateRequestResult.IpWhiteListed))
{
if (validateResult.HasFlag(ValidateRequestResult.IpBlackListed))
{
context.Response.StatusCode = _badEggSettings.BannedResponseCode;
return;
}
else if (validateResult.HasFlag(ValidateRequestResult.TooManyRequests))
{
_notificationService.RaiseEvent(nameof(ValidateRequestResult.TooManyRequests), GetIpAddress(context));
context.Response.StatusCode = _badEggSettings.TooManyRequestResponseCode;
return;
}
}
}
await _next(context);
}
private void ValidateRequest(TRequest request, ValidateRequestResult <TRequest> validateRequestResult)
{
var dtoValidator = _dtoValidatorFactory.TryCreate <TRequest>();
if (dtoValidator != null)
{
var dtoValidatorResult = dtoValidator.Validate(request);
if (!dtoValidatorResult.IsValid)
{
validateRequestResult.ArgumentErrors.AddRange(dtoValidatorResult.ArgumentErrors);
}
}
ValidateRequestInternal(request, validateRequestResult);
}
public void Attach(HttpApplication httpApplication)
{
HttpRequest request = httpApplication.Request;
ValidateRequestResult validateRequestResult = _xssGuard.HasVulnerability(request);
if (validateRequestResult.IsValid)
{
return;
}
if (_configuration.Log.Equals(bool.TrueString))
{
LogXssWarning(request, validateRequestResult);
}
ProcessInternal(request, httpApplication.Response);
}
public ValidateCommandResult Validate(TRequest request)
{
var validateRequestResult = new ValidateRequestResult <TRequest>();
ValidateRequest(request, validateRequestResult);
if (!validateRequestResult.IsValid)
{
return(ValidateCommandResult.Invalid(new InvalidArgumentsResponseError(validateRequestResult.ArgumentErrors)));
}
var validateOperationResult = ValidateOperation(request);
if (!validateOperationResult.IsValid)
{
return(ValidateCommandResult.Invalid(validateOperationResult.ResponseError));
}
return(ValidateCommandResult.Valid());
}
public ValidateRequestResult HasVulnerability(HttpRequest request)
{
if (string.IsNullOrWhiteSpace(_configuration.ControlRegex))
{
_xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
}
else
{
try
{
_xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase);
}
catch
{
_xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
}
}
ValidateRequestResult result = new ValidateRequestResult
{
IsValid = true,
DiseasedRequestPart = DiseasedRequestPart.None
};
if (request != null)
{
string queryString = request.QueryString.ToString();
if (!string.IsNullOrEmpty(queryString) && _regexHelper.ExecFor(_xssDetectionRegex, queryString))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.QueryString;
}
if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase))
{
string formPostValues;
try
{
formPostValues = request.Form.ToString();
}
catch (Exception ex)
{
if (_configuration.Log.Equals(bool.TrueString))
{
string message = $@"Request.Form getter called, Method :{MethodBase.GetCurrentMethod().Name}, Requested Page: {request.Url}";
_logger.Error(message, ex);
}
throw;
}
if (!string.IsNullOrEmpty(formPostValues) && _regexHelper.ExecFor(_xssDetectionRegex, formPostValues))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.Form;
}
}
}
return(result);
}
private void LogXssWarning(HttpRequest request, ValidateRequestResult validateRequestResult)
{
string ipInformation = _ipAdressHelper.GetIpInformation(request);
_logger.Warn(BuildLogMessage(ipInformation, validateRequestResult));
}
protected virtual void ValidateRequestInternal(TRequest request, ValidateRequestResult <TRequest> validateRequestResult)
{
}
protected override void ValidateRequestInternal(ProductCreateRequest request, ValidateRequestResult <ProductCreateRequest> validateRequestResult)
{
if (validateRequestResult.NoErrorsForArgument(req => request.Product.StoreId))
{
var result = _storeValidator.ValidateId(request.Product.StoreId);
if (!result.IsValid)
{
validateRequestResult.AddArgumentError(req => req.Product.StoreId, result.ArgumentError);
}
}
if (validateRequestResult.NoErrorsForArgument(req => req.Product.Name) &&
validateRequestResult.NoErrorsForArgument(req => request.Product.StoreId))
{
var result = _productValidator.NameMustBeUnique(request.Product.Name, request.Product.StoreId);
if (!result.IsValid)
{
validateRequestResult.AddArgumentError(req => req.Product.Name, result.ArgumentError);
}
}
}