From 2d10b7df9f7047f7c04c862c6672abdd118e45c7 Mon Sep 17 00:00:00 2001 From: Silas Kenneth Date: Wed, 24 Jan 2024 12:51:41 +0300 Subject: [PATCH 1/2] Strip the https:// prefix from allowed hosts. --- src/Authentication/AllowedHostsValidator.php | 14 ++++++++++---- tests/Authentication/AllowedHostsValidatorTest.php | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/Authentication/AllowedHostsValidator.php b/src/Authentication/AllowedHostsValidator.php index 2f081ae..cf151d4 100644 --- a/src/Authentication/AllowedHostsValidator.php +++ b/src/Authentication/AllowedHostsValidator.php @@ -39,9 +39,15 @@ public function __construct(array $allowedHosts = []) public function setAllowedHosts(array $hosts): void { foreach ($hosts as $host) { - $host = strtolower(trim($host)); - if (!array_key_exists($host, $this->allowedHosts)) { - $this->allowedHosts[$host] = true; + $newHost = $host; + if (str_starts_with($host, "https://")) { + $newHost = substr($host, 8); + } else if (str_starts_with($host, 'http://')) { + $newHost = substr($host, 7); + } + $newHost = strtolower(trim($newHost)); + if (!array_key_exists($newHost, $this->allowedHosts)) { + $this->allowedHosts[$newHost] = true; } } } @@ -81,4 +87,4 @@ private function extractHost(string $url): string throw new \InvalidArgumentException("$url must contain host"); } } -} \ No newline at end of file +} diff --git a/tests/Authentication/AllowedHostsValidatorTest.php b/tests/Authentication/AllowedHostsValidatorTest.php index fee9e23..cd4083d 100644 --- a/tests/Authentication/AllowedHostsValidatorTest.php +++ b/tests/Authentication/AllowedHostsValidatorTest.php @@ -11,7 +11,7 @@ class AllowedHostsValidatorTest extends TestCase protected function setUp(): void { - $hosts = ["abc.com", "ABC.COM", "abc.com "]; + $hosts = ["abc.com", "ABC.COM", "abc.com ", "https://abc.com", "http://abc.com"]; $this->defaultValidator = new AllowedHostsValidator($hosts); parent::setUp(); } From 593f4e88190912d040744eaaf091fa7359ee866c Mon Sep 17 00:00:00 2001 From: Silas Kenneth Date: Wed, 24 Jan 2024 20:04:58 +0300 Subject: [PATCH 2/2] Change code to throw exception instead. --- src/Authentication/AllowedHostsValidator.php | 15 +++++++-------- .../Authentication/AllowedHostsValidatorTest.php | 12 +++++++++++- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/src/Authentication/AllowedHostsValidator.php b/src/Authentication/AllowedHostsValidator.php index cf151d4..3dbdb61 100644 --- a/src/Authentication/AllowedHostsValidator.php +++ b/src/Authentication/AllowedHostsValidator.php @@ -8,6 +8,8 @@ namespace Microsoft\Kiota\Abstractions\Authentication; +use InvalidArgumentException; + /** * Class AllowedHostsValidator * @@ -39,15 +41,12 @@ public function __construct(array $allowedHosts = []) public function setAllowedHosts(array $hosts): void { foreach ($hosts as $host) { - $newHost = $host; - if (str_starts_with($host, "https://")) { - $newHost = substr($host, 8); - } else if (str_starts_with($host, 'http://')) { - $newHost = substr($host, 7); + $host = strtolower(trim($host)); + if (str_starts_with($host, "https://") || str_starts_with($host, 'http://')) { + throw new InvalidArgumentException("The host $host is not valid as it contains the scheme."); } - $newHost = strtolower(trim($newHost)); - if (!array_key_exists($newHost, $this->allowedHosts)) { - $this->allowedHosts[$newHost] = true; + if (!array_key_exists($host, $this->allowedHosts)) { + $this->allowedHosts[$host] = true; } } } diff --git a/tests/Authentication/AllowedHostsValidatorTest.php b/tests/Authentication/AllowedHostsValidatorTest.php index cd4083d..2af7a8c 100644 --- a/tests/Authentication/AllowedHostsValidatorTest.php +++ b/tests/Authentication/AllowedHostsValidatorTest.php @@ -11,7 +11,7 @@ class AllowedHostsValidatorTest extends TestCase protected function setUp(): void { - $hosts = ["abc.com", "ABC.COM", "abc.com ", "https://abc.com", "http://abc.com"]; + $hosts = ["abc.com", "ABC.COM", "abc.com "]; $this->defaultValidator = new AllowedHostsValidator($hosts); parent::setUp(); } @@ -31,6 +31,16 @@ public function testSetAllowedHostsSetLowercaseTrimmedDeduplicatedHosts(): void $this->assertEquals($expected, $validator->getAllowedHosts()); } + public function testShouldThrowException(): void + { + $hosts = ["https://abc.com "]; + $this->expectException(\InvalidArgumentException::class); + $validator = new AllowedHostsValidator(); + $validator->setAllowedHosts($hosts); + $expected = ["abc.com"]; //duplicates should not be added to allowed hosts + + } + public function testIsUrlHostValidWithValidHost(): void { $this->assertTrue($this->defaultValidator->isUrlHostValid("https://abc.com"));