twilio · thinkingserious · May 29, 2021 · May 15, 2021 · May 19, 2021 · May 19, 2021
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -155,7 +155,6 @@ you are working:
 * All features or bug fixes **must be tested** by one or more tests.
 * All classes and methods **must be documented**.
 
-
 [docs-link]: https://www.twilio.com/docs/libraries/csharp
 [issue-link]: https://github.com/twilio/twilio-csharp/issues/new
 [github]: https://github.com/twilio/twilio-csharp
diff --git a/src/Twilio/Security/RequestValidator.cs b/src/Twilio/Security/RequestValidator.cs
@@ -46,8 +46,8 @@ public bool Validate(string url, NameValueCollection parameters, string expected
         public bool Validate(string url, IDictionary<string, string> parameters, string expected)
         {
             // check signature of url with and without port, since sig generation on back end is inconsistent
-            var signatureWithoutPort = GetValidationSignature(RemovePort(new UriBuilder(url)), parameters);
-            var signatureWithPort = GetValidationSignature(AddPort(new UriBuilder(url)), parameters);
+            var signatureWithoutPort = GetValidationSignature(RemovePort(url), parameters);
+            var signatureWithPort = GetValidationSignature(AddPort(url), parameters);
             // If either url produces a valid signature, we accept the request as valid
             return SecureCompare(signatureWithoutPort, expected) || SecureCompare(signatureWithPort, expected);
         }
@@ -124,23 +124,37 @@ private static bool SecureCompare(string a, string b)
             return mismatch == 0;
         }
 
-        private string RemovePort(UriBuilder uri)
+        private string RemovePort(string url)
         {
-            // UriBuilder.ToString() will not display the port 
-            // if the Port property is set to -1
-            uri.Port = -1;
-            return uri.ToString();
+            return SetPort(url, -1);
         }
 
-        private string AddPort(UriBuilder uri)
+        private string AddPort(string url)
         {
-            if (uri.Port != -1)
+            var uri = new UriBuilder(url);
+            return SetPort(url, uri.Port);
+        }
+
+        private string SetPort(string url, int port)
+        {
+            var uri = new UriBuilder(url);
+            uri.Host = PreserveCase(url, uri.Host);
+            if (port == -1)
             {
-                return uri.ToString();
+                uri.Port = port;
+            } else if ( port != 443 || port != 80 ) {
+                uri.Port = port;
+            } else {
+                uri.Port = uri.Scheme == "https" ? 443 : 80;
             }
-            uri.Port = uri.Scheme == "https" ? 443 : 80;
-            return uri.ToString();
+            var scheme = PreserveCase(url, uri.Scheme);
+            return uri.Uri.OriginalString.Replace(uri.Scheme, scheme);
         }
 
+        private string PreserveCase(string url, string replacementString)
+        {
+            var startIndex = url.IndexOf(replacementString, StringComparison.OrdinalIgnoreCase);
+            return url.Substring(startIndex, replacementString.Length);
+        }
     }
 }
diff --git a/test/Twilio.Test/Security/RequestValidatorTest.cs b/test/Twilio.Test/Security/RequestValidatorTest.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Collections.Specialized;
 using NUnit.Framework;
 using Twilio.Security;
@@ -31,6 +32,78 @@ public void TestValidateDictionary()
             Assert.IsTrue(_validator.Validate(Url, _parameters, signature), "Request does not match provided signature");
         }
 
+        [Test]
+        public void TestValidateDictionaryMixedCase()
+        {
+            const string signature = "g9IN/x4Cft2g517EjYvEvM/W7LU=";
+            const string url = "https://MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), "Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateDictionaryMixedCaseWithPort()
+        {
+            const string signature = "PCqOZm8cnu/L6+u5i5fuEd+Iac4=";
+            const string url = "https://MyCompany.com:1234/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), "Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateDictionaryMixedCaseAddsPortHttp()
+        {
+            const string signature = "XY7AlKOKL6im4yWyX84gldUrtis=";
+            const string url = "http://MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), "Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateCredentialsArePreserved()
+        {
+            const string signature = "PJ08CxXr7KLPjEQCTc8LkUSMwSM=";
+            const string url = "http://username:password@MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), $"Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateCredentialsArePreservedUpperCaseScheme()
+        {
+            const string signature = "hy/l8pca+LFms4cvRdv8uiP6NGc=";
+            const string url = "HTTP://username:password@MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), $"Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateCredentialsArePreservedMixedCaseCreds()
+        {
+            const string signature = "SkTSKyDJH9kUlhItI0slbgZ1UsI=";
+            const string url = "http://Username:Password@MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, signature), $"Request should have passed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateDictionaryMixedCaseWithIncorrectSignature()
+        {
+            const string signature = "RSOYDt4T1cUTdK1PDd93/VVr8B8=";
+            const string url = "https://MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsFalse(_validator.Validate(url, _parameters, signature), "Request should have failed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateDictionaryMixedCaseWithPortWithIncorrectSignature()
+        {
+            const string signature = "RSOYDt4T1cUTdK1PDd93/VVr8B8=";
+            const string url = "https://MyCompany.com:1234/myapp.php?foo=1&bar=2";
+            Assert.IsFalse(_validator.Validate(url, _parameters, signature), "Request should have failed validation but didn't");
+        }
+
+        [Test]
+        public void TestValidateDictionaryMixedCaseAddsPortHttpWithIncorrectSignature()
+        {
+            const string signature = "RSOYDt4T1cUTdK1PDd93/VVr8B8=";
+            const string url = "http://MyCompany.com/myapp.php?foo=1&bar=2";
+            Assert.IsFalse(_validator.Validate(url, _parameters, signature), "Request should have failed validation but didn't");
+        }
+
         [Test]
         public void TestValidateFailsWhenIncorrect()
         {
@@ -82,9 +155,9 @@ public void TestValidateRemovesPortHttps()
         public void TestValidateRemovesPortHttp()
         {
             const string url = "http://mycompany.com:1234/myapp.php?foo=1&bar=2";
-            Assert.IsTrue(_validator.Validate(url, _parameters, "Zmvh+3yNM1Phv2jhDCwEM3q5ebU="), "Request does not match provided signature");
+            Assert.IsTrue(_validator.Validate(url, _parameters, "OyGYPqTF6ztdbRNCvuQO/oPvqQ4="), "Request does not match provided signature");
         }
-        
+
         [Test]
         public void TestValidateAddsPortHttps()
         {
@@ -98,5 +171,18 @@ public void TestValidateAddsPortHttp()
             Assert.IsTrue(_validator.Validate(url, _parameters, "0ZXoZLH/DfblKGATFgpif+LLRf4="), "Request does not match provided signature");
         }
 
+        [Test]
+        public void TestValidateAddsCustomPortHttps()
+        {
+            const string url = "https://mycompany.com:1234/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, "CYn1h0gLBdNxDGkKJg6hYohgeD8="), "Request does not match provided signature");
+        }
+
+        [Test]
+        public void TestValidateAddsCustomPortHttp()
+        {
+            const string url = "http://mycompany.com:1234/myapp.php?foo=1&bar=2";
+            Assert.IsTrue(_validator.Validate(url, _parameters, "Zmvh+3yNM1Phv2jhDCwEM3q5ebU="), "Request does not match provided signature");
+        }
     }
 }