forcing granturl to be in same origin as hook url

2019-02-11 12:17:26 +01:00 · 2019-02-11 12:17:26 +01:00 · dc36826ec1
commit dc36826ec1
parent 71e3839056
3 changed files with 20 additions and 4 deletions
--- a/src/Services/Webhooks/Webhooks.API/Controllers/WebhooksController.cs
+++ b/src/Services/Webhooks/Webhooks.API/Controllers/WebhooksController.cs
@ -67,7 +67,7 @@ namespace Webhooks.API.Controllers
            var userId = _identityService.GetUserIdentity();


-            var grantOk = await _grantUrlTester.TestGrantUrl(request.GrantUrl, request.Token ?? string.Empty);
+            var grantOk = await _grantUrlTester.TestGrantUrl(request.Url, request.GrantUrl, request.Token ?? string.Empty);

            if (grantOk)
            {
--- a/src/Services/Webhooks/Webhooks.API/Services/GrantUrlTesterService.cs
+++ b/src/Services/Webhooks/Webhooks.API/Services/GrantUrlTesterService.cs
@ -1,6 +1,5 @@
 using Microsoft.Extensions.Logging;
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Threading.Tasks;
@ -17,8 +16,15 @@ namespace Webhooks.API.Services
            _logger = logger;
        }

-        public async Task<bool> TestGrantUrl(string url, string token)
+        public async Task<bool> TestGrantUrl(string urlHook, string url, string token)
        {
+            if (!CheckSameOrigin(urlHook, url))
+            {
+                _logger.LogWarning($"Url of the hook ({urlHook} and the grant url ({url} do not belong to same origin)");
+                return false;
+            }
+
+
            var client = _clientFactory.CreateClient("GrantClient");
            var msg = new HttpRequestMessage(HttpMethod.Options, url);
            msg.Headers.Add("X-eshop-whtoken", token);
@ -37,5 +43,15 @@ namespace Webhooks.API.Services
                return false;
            }
        }
+
+        private bool CheckSameOrigin(string urlHook, string url)
+        {
+            var firstUrl = new Uri(urlHook, UriKind.Absolute);
+            var secondUrl = new Uri(url, UriKind.Absolute);
+
+            return firstUrl.Scheme == secondUrl.Scheme &&
+                firstUrl.Port == secondUrl.Port &&
+                firstUrl.Host == firstUrl.Host;
+        }
    }
 }
--- a/src/Services/Webhooks/Webhooks.API/Services/IGrantUrlTesterService.cs
+++ b/src/Services/Webhooks/Webhooks.API/Services/IGrantUrlTesterService.cs
@ -7,6 +7,6 @@ namespace Webhooks.API.Services
 {
    public interface IGrantUrlTesterService
    {
-        Task<bool> TestGrantUrl(string url, string token);
+        Task<bool> TestGrantUrl(string urlHook, string url, string token);
    }
 }