public void ValidateRedirect_EnabledAndRelativeRedirectWithQueryString_NoException() { const int statusCode = 302; const string location = "/Some/Interesting/Content?foo=bar"; var config = new RedirectValidationConfiguration { Enabled = true }; Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }
public void ValidateRedirect_EnabledAndAbsoluteRedirectToSameSite_NoException() { const int statusCode = 302; const string location = "https://www.nwebsec.com/Something/Worth/Seeing"; var config = new RedirectValidationConfiguration { Enabled = true }; Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }
public void ValidateRedirect_EnabledAndRedirect_ThrowsException() { const int statusCode = 302; const string location = "http://evilsite.com"; var config = new RedirectValidationConfiguration { Enabled = true }; Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }
public void ValidateRedirect_DisabledAndRedirect_NoException() { const int statusCode = 302; const string location = "http://evilsite.com"; var config = new RedirectValidationConfiguration { Enabled = false }; Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }
public void ValidateRedirect_EnabledAndNoRedirect_NoException() { var config = new RedirectValidationConfiguration { Enabled = true }; foreach (var statusCode in new[] { 200, 304, 401, 403, 404, 500 }) { Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "", RequestUriHttps, config)); } }
public void ValidateRedirect_EnabledAndAbsoluteRedirectToWhiteListedSite_NoException() { const int statusCode = 302; const string location = "https://www.expectedsite.com"; var config = new RedirectValidationConfiguration { Enabled = true, AllowedUris = new[] { new Uri("https://www.expectedsite.com").AbsoluteUri } }; Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }
public void ValidateRedirect_SamehostToHttpsOtherThanConfiguredCustomPortsIncluding443_ThrowsException() { const int statusCode = 302; var config = new RedirectValidationConfiguration { Enabled = true, SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration { Enabled = true, Ports = new[] { 4567, 443 } } }; Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:9999/", RequestUriHttp, config)); }
public void ValidateRedirect_SamehostToHttpsOnConfiguredCustomPorts_NoException() { const int statusCode = 302; var config = new RedirectValidationConfiguration { Enabled = true, SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration { Enabled = true, Ports = new[] { 4567, 8989 } } }; Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:4567/", RequestUriHttp, config)); Assert.DoesNotThrow(() => _redirectValidator.ValidateRedirect(statusCode, "https://www.nwebsec.com:8989/", RequestUriHttp, config)); }
public void ValidateRedirect_EnabledAndAbsoluteRedirectAcrossPort_ThrowsException() { const int statusCode = 302; const string location = "https://www.nwebsec.com:81/"; var requestUriWithPort = new Uri("https://www.nwebsec.com:88/"); var config = new RedirectValidationConfiguration { Enabled = true, AllowedUris = new[] { new Uri("https://www.expectedsite.com").AbsoluteUri } }; Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, requestUriWithPort, config)); }
public void ValidateRedirect_EnabledAndAbsoluteRedirectToParentPathWithQueryString_ThrowsException() { const int statusCode = 302; const string location = "https://www.expectedsite.com/?foo=bar"; var config = new RedirectValidationConfiguration { Enabled = true, AllowedUris = new[] { new Uri("https://www.expectedsite.com/Kittens").AbsoluteUri } }; Assert.Throws<RedirectValidationException>(() => _redirectValidator.ValidateRedirect(statusCode, location, RequestUriHttps, config)); }