Merge pull request #130 from DuendeSoftware/brock/return-url-validation

Add IReturnUrlValidator service
DuendeSoftware · Aug 16, 2022 · 493d819 · 493d819
2 parents b248b1e + 4ef7f4f
commit 493d819
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 9 deletions.
diff --git a/src/Duende.Bff/BffServiceCollectionExtensions.cs b/src/Duende.Bff/BffServiceCollectionExtensions.cs
@@ -33,6 +33,8 @@ public static BffBuilder AddBff(this IServiceCollection services, Action<BffOpti
         services.AddDistributedMemoryCache();
         services.AddOpenIdConnectAccessTokenManagement();
 
+        services.AddTransient<IReturnUrlValidator, LocalUrlReturnUrlValidator>();
+
         // management endpoints
         services.AddTransient<ILoginService, DefaultLoginService>();
         services.AddTransient<ISilentLoginService, DefaultSilentLoginService>();

diff --git a/src/Duende.Bff/Endpoints/DefaultLoginService.cs b/src/Duende.Bff/Endpoints/DefaultLoginService.cs
@@ -18,29 +18,36 @@ public class DefaultLoginService : ILoginService
     /// <summary>
     /// The BFF options
     /// </summary>
-    protected readonly BffOptions _options;
+    protected readonly BffOptions Options;
+
+    /// <summary>
+    /// The return URL validator
+    /// </summary>
+    protected readonly IReturnUrlValidator ReturnUrlValidator;
 
     /// <summary>
     /// ctor
     /// </summary>
     /// <param name="options"></param>
-    public DefaultLoginService(IOptions<BffOptions> options)
+    /// <param name="returnUrlValidator"></param>
+    public DefaultLoginService(IOptions<BffOptions> options, IReturnUrlValidator returnUrlValidator)
     {
-        _options = options.Value;
+        Options = options.Value;
+        ReturnUrlValidator = returnUrlValidator;
     }
 
     /// <inheritdoc />
     public virtual async Task ProcessRequestAsync(HttpContext context)
     {
-        context.CheckForBffMiddleware(_options);
+        context.CheckForBffMiddleware(Options);
 
         var returnUrl = context.Request.Query[Constants.RequestParameters.ReturnUrl].FirstOrDefault();
 
         if (!string.IsNullOrWhiteSpace(returnUrl))
         {
-            if (!Util.IsLocalUrl(returnUrl))
+            if (!await ReturnUrlValidator.IsValidAsync(returnUrl))
             {
-                throw new Exception("returnUrl is not application local: " + returnUrl);
+                throw new Exception("returnUrl is not valid: " + returnUrl);
             }
         }
 

diff --git a/src/Duende.Bff/Endpoints/DefaultLogoutService.cs b/src/Duende.Bff/Endpoints/DefaultLogoutService.cs
@@ -26,15 +26,22 @@ public class DefaultLogoutService : ILogoutService
     /// </summary>
     protected readonly IAuthenticationSchemeProvider AuthenticationSchemeProvider;
 
+    /// <summary>
+    /// The return URL validator
+    /// </summary>
+    protected readonly IReturnUrlValidator ReturnUrlValidator;
+
     /// <summary>
     /// Ctor
     /// </summary>
     /// <param name="options"></param>
     /// <param name="authenticationAuthenticationSchemeProviderProvider"></param>
-    public DefaultLogoutService(IOptions<BffOptions> options, IAuthenticationSchemeProvider authenticationAuthenticationSchemeProviderProvider)
+    /// <param name="returnUrlValidator"></param>
+    public DefaultLogoutService(IOptions<BffOptions> options, IAuthenticationSchemeProvider authenticationAuthenticationSchemeProviderProvider, IReturnUrlValidator returnUrlValidator)
     {
         Options = options.Value;
         AuthenticationSchemeProvider = authenticationAuthenticationSchemeProviderProvider;
+        ReturnUrlValidator = returnUrlValidator;
     }
 
     /// <inheritdoc />
@@ -67,9 +74,9 @@ public virtual async Task ProcessRequestAsync(HttpContext context)
 
         if (!string.IsNullOrWhiteSpace(returnUrl))
         {
-            if (!Util.IsLocalUrl(returnUrl))
+            if (!await ReturnUrlValidator.IsValidAsync(returnUrl))
             {
-                throw new Exception("returnUrl is not application local: " + returnUrl);
+                throw new Exception("returnUrl is not valid: " + returnUrl);
             }
         }
 

diff --git a/src/Duende.Bff/Endpoints/IReturnUrlValidator.cs b/src/Duende.Bff/Endpoints/IReturnUrlValidator.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using System.Threading.Tasks;
+
+namespace Duende.Bff;
+
+/// <summary>
+/// Allows validating if the return URL for login and logout is valid.
+/// </summary>
+public interface IReturnUrlValidator
+{
+    /// <summary>
+    /// Returns true is the returnUrl is valid and safe to redirect to.
+    /// </summary>
+    /// <param name="returnUrl"></param>
+    /// <returns></returns>
+    Task<bool> IsValidAsync(string returnUrl);
+}
+
+class LocalUrlReturnUrlValidator : IReturnUrlValidator
+{
+    /// <inheritdoc/>
+    public Task<bool> IsValidAsync(string returnUrl)
+    {
+        return Task.FromResult(Util.IsLocalUrl(returnUrl));
+    }
+}