AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Implementierung von HtmlSanitizer und UrlEncoder zur Absicherung von Benutzereingaben gegen XSS und URL-Manipulationsanfälligkeiten.

Browse Source
This commit is contained in:
Developer 02
2024-05-07 16:26:04 +02:00
parent b19cccdc34
commit d8617093ce
11 changed files with 117 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
EnvelopeGenerator.Web/Controllers/EnvelopeController.cs
View File

@@ -1,10 +1,9 @@
using EnvelopeGenerator.Application.Contracts;
using EnvelopeGenerator.Application.Services;
using EnvelopeGenerator.Application.Services;
using EnvelopeGenerator.Common;
using EnvelopeGenerator.Web.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Text.Encodings.Web;
namespace EnvelopeGenerator.Web.Controllers
{
@@ -13,13 +12,13 @@ namespace EnvelopeGenerator.Web.Controllers
{
private readonly EnvelopeOldService envelopeService;
private readonly ActionService? actionService;
private readonly IEnvelopeService _envelopeService;
private readonly UrlEncoder _urlEncoder;
public EnvelopeController(DatabaseService database, EnvelopeOldService envelope, ILogger<EnvelopeController> logger, IEnvelopeService envService) : base(database, logger)
public EnvelopeController(DatabaseService database, EnvelopeOldService envelope, ILogger<EnvelopeController> logger, UrlEncoder urlEncoder) : base(database, logger)
{
envelopeService = envelope;
actionService = database?.Services?.actionService;
_envelopeService = envService;
_urlEncoder = urlEncoder;
}
[NonAction]
@@ -28,6 +27,8 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeKey = _urlEncoder.Encode(envelopeKey);
// Validate Envelope Key and load envelope
envelopeService.EnsureValidEnvelopeKey(envelopeKey);
@@ -52,6 +53,8 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeKey = _urlEncoder.Encode(envelopeKey);
var authSignature = this.GetAuthenticatedReceiverSignature();
if (authSignature != envelopeKey.GetReceiverSignature())

15
EnvelopeGenerator.Web/Controllers/HomeController.cs
View File

@@ -16,6 +16,9 @@ using EnvelopeGenerator.Application.DTOs;
using Microsoft.AspNetCore.Localization;
using Newtonsoft.Json.Linq;
using Microsoft.Extensions.Configuration;
using Ganss.Xss;
using System.Text.Encodings.Web;
using EnvelopeGenerator.Domain.Entities;
namespace EnvelopeGenerator.Web.Controllers
{
@@ -26,22 +29,26 @@ namespace EnvelopeGenerator.Web.Controllers
private readonly IEnvelopeHistoryService _historyService;
private readonly IStringLocalizer<Resource> _localizer;
private readonly IConfiguration _configuration;
private readonly UrlEncoder _urlEncoder;
public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer<Resource> localizer, IConfiguration configuration) : base(databaseService, logger)
public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeHistoryService historyService, IStringLocalizer<Resource> localizer, IConfiguration configuration, UrlEncoder urlEncoder) : base(databaseService, logger)
{
this.envelopeOldService = envelopeOldService;
_envRcvService = envelopeReceiverService;
_historyService = historyService;
_localizer = localizer;
_configuration = configuration;
_urlEncoder = urlEncoder;
}
[HttpGet("/EnvelopeKey/{envelopeReceiverId}")]
public async Task<IActionResult> SendAccessCode([FromRoute] string envelopeReceiverId)
{
ViewData["EnvelopeKey"] = envelopeReceiverId;
try
{
envelopeReceiverId = _urlEncoder.Encode(envelopeReceiverId);
ViewData["EnvelopeKey"] = envelopeReceiverId;
return await _envRcvService.ReadByEnvelopeReceiverIdAsync(envelopeReceiverId: envelopeReceiverId).ThenAsync<EnvelopeReceiverDto, IActionResult>(
SuccessAsync: async er =>
{
@@ -77,6 +84,7 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeReceiverId = _urlEncoder.Encode(envelopeReceiverId);
ViewData["Languages"] = _configuration.GetSection("Languages").Get<string[]>()!;
ViewData["UserLanguage"] = UserLanguage;
@@ -100,6 +108,7 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeReceiverId = _urlEncoder.Encode(envelopeReceiverId);
(string? uuid, string? signature) = envelopeReceiverId.DecodeEnvelopeReceiverId();
if(uuid is null || signature is null)
@@ -187,6 +196,7 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeReceiverId = _urlEncoder.Encode(envelopeReceiverId);
return await _envRcvService.IsExisting(envelopeReceiverId: envelopeReceiverId).ThenAsync(
SuccessAsync: async isExisting =>
{
@@ -231,6 +241,7 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
language = _urlEncoder.Encode(language);
var cookieOptions = new CookieOptions()
{
Expires = DateTimeOffset.UtcNow.AddYears(1),

37
EnvelopeGenerator.Web/Controllers/Test/TestSanitizeController.cs Normal file
View File

@@ -0,0 +1,37 @@
using Ganss.Xss;
using Microsoft.AspNetCore.Mvc;
using System.Text.Encodings.Web;
namespace EnvelopeGenerator.Web.Controllers.Test
{
[ApiController]
[Route("api/test/[controller]")]
public class TestSanitizeController : ControllerBase
{
private readonly HtmlEncoder _htmlEncoder;
private readonly HtmlSanitizer _sanitizer;
public TestSanitizeController(HtmlEncoder htmlEncoder, HtmlSanitizer sanitizer)
{
_htmlEncoder = htmlEncoder;
_sanitizer = sanitizer;
}
[HttpGet("sanitize")]
public IActionResult Sanitize([FromQuery] string? input = null) => Ok(new
{
input,
Sanitized = _sanitizer.Sanitize(input),
SanitizedDocument = _sanitizer.SanitizeDocument(input),
SanitizedDom = _sanitizer.SanitizeDom(input)
});
[HttpGet("encode")]
public IActionResult Encoder([FromQuery] string? input = null) => Ok(new
{
input,
Encoded = _htmlEncoder.Encode(input)
});
}
}