1 files changed, 93 insertions, 0 deletions

diff --git a/src/DotNetOpenId.Test/UntrustedWebRequestTests.cs b/src/DotNetOpenId.Test/UntrustedWebRequestTests.cs
new file mode 100644
index 0000000..c44354c
--- /dev/null
+++ b/src/DotNetOpenId.Test/UntrustedWebRequestTests.cs
@@ -0,0 +1,93 @@
+using System;

+using System.Collections.Generic;

+using System.Linq;

+using System.Text;

+using NUnit.Framework;

+using System.Text.RegularExpressions;

+using System.Net;

+

+namespace DotNetOpenId.Test {

+	[TestFixture]

+	public class UntrustedWebRequestTests {

+		TimeSpan timeoutDefault;

+		[SetUp]

+		public void SetUp() {

+			UntrustedWebRequest.WhitelistHosts.Clear();

+			UntrustedWebRequest.WhitelistHostsRegex.Clear();

+			UntrustedWebRequest.BlacklistHosts.Clear();

+			UntrustedWebRequest.BlacklistHostsRegex.Clear();

+			timeoutDefault = UntrustedWebRequest.Timeout;

+		}

+		[TearDown]

+		public void TearDown() {

+			UntrustedWebRequest.Timeout = timeoutDefault; // in case a test changed it

+		}

+

+		[Test]

+		public void DisallowUnsafeHosts() {

+			string[] unsafeHosts = new [] {

+				// IPv4 loopback representations

+				"http://127.0.0.1",

+				"http://127.100.0.1",

+				"http://127.0.0.100",

+				"http://2130706433", // 127.0.0.1 in decimal format

+				"http://0x7f000001", // 127.0.0.1 in hex format

+				// IPv6 loopback representation

+				"http://[::1]",

+				// disallowed schemes

+				"ftp://ftp.microsoft.com",

+				"xri://boo",

+			};

+			foreach (string unsafeHost in unsafeHosts) {

+				try {

+					UntrustedWebRequest.Request(new Uri(unsafeHost));

+					Assert.Fail("ArgumentException expected but none thrown.");

+				} catch (ArgumentException) {

+					// expected exception caught.

+				}

+			}

+		}

+

+		[Test]

+		public void Whitelist() {

+			UntrustedWebRequest.WhitelistHosts.Add("localhost");

+			// if this works, then we'll be waiting around for localhost to not respond

+			// for a while unless we take the timeout to zero.

+			UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method

+			try {

+				UntrustedWebRequest.Request(new Uri("http://localhost:1234"));

+				// We're verifying that an ArgumentException is not thrown

+				// since we requested localhost to be allowed.

+			} catch (WebException) {

+				// It's ok, we're not expecting the request to succeed.

+			}

+		}

+

+		[Test]

+		public void WhitelistRegex() {

+			UntrustedWebRequest.WhitelistHostsRegex.Add(new Regex(@"^127\.\d+\.\d+\.\d+$"));

+			// if this works, then we'll be waiting around for localhost to not respond

+			// for a while unless we take the timeout to zero.

+			UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method

+			try {

+				UntrustedWebRequest.Request(new Uri("http://127.0.0.1:1234"));

+				// We're verifying that an ArgumentException is not thrown

+				// since we requested localhost to be allowed.

+			} catch (WebException) {

+				// It's ok, we're not expecting the request to succeed.

+			}

+		}

+

+		[Test, ExpectedException(typeof(ArgumentException))]

+		public void Blacklist() {

+			UntrustedWebRequest.BlacklistHosts.Add("www.microsoft.com");

+			UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));

+		}

+

+		[Test, ExpectedException(typeof(ArgumentException))]

+		public void BlacklistRegex() {

+			UntrustedWebRequest.BlacklistHostsRegex.Add(new Regex(@"\Wmicrosoft.com$"));

+			UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));

+		}

+	}

+}