1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using NUnit.Framework;
using System.Text.RegularExpressions;
using System.Net;
namespace DotNetOpenId.Test {
[TestFixture]
public class UntrustedWebRequestTests {
TimeSpan timeoutDefault;
[SetUp]
public void SetUp() {
UntrustedWebRequest.WhitelistHosts.Clear();
UntrustedWebRequest.WhitelistHostsRegex.Clear();
UntrustedWebRequest.BlacklistHosts.Clear();
UntrustedWebRequest.BlacklistHostsRegex.Clear();
timeoutDefault = UntrustedWebRequest.Timeout;
}
[TearDown]
public void TearDown() {
UntrustedWebRequest.Timeout = timeoutDefault; // in case a test changed it
}
[Test]
public void DisallowUnsafeHosts() {
string[] unsafeHosts = new [] {
// IPv4 loopback representations
"http://127.0.0.1",
"http://127.100.0.1",
"http://127.0.0.100",
"http://2130706433", // 127.0.0.1 in decimal format
"http://0x7f000001", // 127.0.0.1 in hex format
// IPv6 loopback representation
"http://[::1]",
// disallowed schemes
"ftp://ftp.microsoft.com",
"xri://boo",
};
foreach (string unsafeHost in unsafeHosts) {
try {
UntrustedWebRequest.Request(new Uri(unsafeHost));
Assert.Fail("ArgumentException expected but none thrown.");
} catch (ArgumentException) {
// expected exception caught.
}
}
}
[Test]
public void Whitelist() {
UntrustedWebRequest.WhitelistHosts.Add("localhost");
// if this works, then we'll be waiting around for localhost to not respond
// for a while unless we take the timeout to zero.
UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method
try {
UntrustedWebRequest.Request(new Uri("http://localhost:1234"));
// We're verifying that an ArgumentException is not thrown
// since we requested localhost to be allowed.
} catch (WebException) {
// It's ok, we're not expecting the request to succeed.
}
}
[Test]
public void WhitelistRegex() {
UntrustedWebRequest.WhitelistHostsRegex.Add(new Regex(@"^127\.\d+\.\d+\.\d+$"));
// if this works, then we'll be waiting around for localhost to not respond
// for a while unless we take the timeout to zero.
UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method
try {
UntrustedWebRequest.Request(new Uri("http://127.0.0.1:1234"));
// We're verifying that an ArgumentException is not thrown
// since we requested localhost to be allowed.
} catch (WebException) {
// It's ok, we're not expecting the request to succeed.
}
}
[Test, ExpectedException(typeof(ArgumentException))]
public void Blacklist() {
UntrustedWebRequest.BlacklistHosts.Add("www.microsoft.com");
UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));
}
[Test, ExpectedException(typeof(ArgumentException))]
public void BlacklistRegex() {
UntrustedWebRequest.BlacklistHostsRegex.Add(new Regex(@"\Wmicrosoft.com$"));
UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));
}
}
}
|
