From 10c5a29c478f030565cc63f423a5c427ca57b8b3 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Fri, 5 Nov 2021 14:49:45 -0400
Subject: [PATCH] Prevent XSS possibility from SSO SAML Service URLs (#1691)

* validate sso service urls for HTML meta chars

* also check for double quotes
---
 .../OrganizationSsoRequestModel.cs            | 28 +++++++++++++
 src/Core/Resources/SharedResources.en.resx    | 39 ++++++++++++-------
 2 files changed, 52 insertions(+), 15 deletions(-)

diff --git a/src/Core/Models/Api/Request/Organizations/OrganizationSsoRequestModel.cs b/src/Core/Models/Api/Request/Organizations/OrganizationSsoRequestModel.cs
index e08b19004e..66319f47bf 100644
--- a/src/Core/Models/Api/Request/Organizations/OrganizationSsoRequestModel.cs
+++ b/src/Core/Models/Api/Request/Organizations/OrganizationSsoRequestModel.cs
@@ -159,6 +159,25 @@ namespace Bit.Core.Models.Api
                     yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlValidationError"),
                         new[] { nameof(IdpSingleSignOnServiceUrl) });
                 }
+
+                if (ContainsHtmlMetaCharacters(IdpSingleSignOnServiceUrl))
+                {
+                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleSignOnServiceUrlInvalid"),
+                        new[] { nameof(IdpSingleSignOnServiceUrl) });
+                }
+
+                if (ContainsHtmlMetaCharacters(IdpArtifactResolutionServiceUrl))
+                {
+                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpArtifactResolutionServiceUrlInvalid"),
+                        new[] { nameof(IdpArtifactResolutionServiceUrl) });
+                }
+
+                if (ContainsHtmlMetaCharacters(IdpSingleLogoutServiceUrl))
+                {
+                    yield return new ValidationResult(i18nService.GetLocalizedHtmlString("IdpSingleLogoutServiceUrlInvalid"),
+                        new[] { nameof(IdpSingleLogoutServiceUrl) });
+                }
+
                 if (!string.IsNullOrWhiteSpace(IdpX509PublicCert))
                 {
                     // Validate the certificate is in a valid format
@@ -240,5 +259,14 @@ namespace Bit.Core.Models.Api
                 string.Empty,
                 RegexOptions.Multiline | RegexOptions.IgnoreCase | RegexOptions.CultureInvariant);
         }
+
+        private bool ContainsHtmlMetaCharacters(string url)
+        {
+            if (string.IsNullOrWhiteSpace(url))
+            {
+                return false;
+            }
+            return Regex.IsMatch(url, "[<>\"]");
+        }
     }
 }
diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx
index 55e8525454..57f09f5a93 100644
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@@ -442,19 +442,19 @@
   <data name="RequestId" xml:space="preserve">
     <value>Request ID</value>
   </data>
-  <data name="Redirecting">
+  <data name="Redirecting" xml:space="preserve">
     <value>Redirecting</value>
   </data>
-  <data name="RedirectingMessage">
+  <data name="RedirectingMessage" xml:space="preserve">
     <value>You are now being returned to the application. Once complete, you may close this tab.</value>
   </data>
-  <data name="IfIdpWantAuthnRequestsSigned">
+  <data name="IfIdpWantAuthnRequestsSigned" xml:space="preserve">
     <value>If IdP Wants Authn Requests Signed</value>
   </data>
-  <data name="Always">
+  <data name="Always" xml:space="preserve">
     <value>Always</value>
   </data>
-  <data name="Never">
+  <data name="Never" xml:space="preserve">
     <value>Never</value>
   </data>
   <data name="IdpX509PublicCertValidationError" xml:space="preserve">
@@ -466,33 +466,33 @@
   <data name="IdpX509PublicCertCryptographicExceptionValidationError" xml:space="preserve">
     <value>The IdP public certificate provided does not appear to be a valid certificate, please ensure this is a valid, Base64 encoded PEM or CER format public certificate valid for signing: {0}</value>
   </data>
-  <data name="CopyCallbackPath">
+  <data name="CopyCallbackPath" xml:space="preserve">
     <value>Copy the OIDC callback path to your clipboard</value>
   </data>
-  <data name="CopySignedOutCallbackPath">
+  <data name="CopySignedOutCallbackPath" xml:space="preserve">
     <value>Copy the OIDC signed out callback path to your clipboard</value>
   </data>
-  <data name="CopySpEntityId">
+  <data name="CopySpEntityId" xml:space="preserve">
     <value>Copy the SP Entity Id to your clipboard</value>
   </data>
-  <data name="CopySpMetadataUrl">
+  <data name="CopySpMetadataUrl" xml:space="preserve">
     <value>Copy the SAML 2.0 Metadata URL to your clipboard</value>
   </data>
-  <data name="LaunchSpMetadataUrl">
+  <data name="LaunchSpMetadataUrl" xml:space="preserve">
     <value>View the SAML 2.0 Metadata (opens in a new window)</value>
   </data>
-  <data name="CopySpAcsUrl">
+  <data name="CopySpAcsUrl" xml:space="preserve">
     <value>Copy the Assertion Consumer Service (ACS) URL to your clipboard</value>
   </data>
-  <data name="HttpRedirect">
+  <data name="HttpRedirect" xml:space="preserve">
     <value>Redirect</value>
     <comment>A SAML binding type, Redirect</comment>
   </data>
-  <data name="HttpPost">
+  <data name="HttpPost" xml:space="preserve">
     <value>HTTP POST</value>
     <comment>A SAML binding type, HTTP POST</comment>
   </data>
-  <data name="Artifact">
+  <data name="Artifact" xml:space="preserve">
     <value>Artifact</value>
     <comment>A SAML binding type, Artifact</comment>
   </data>
@@ -667,4 +667,13 @@
   <data name="ResetPasswordAutoEnrollCheckbox" xml:space="preserve">
     <value>Require new users to be enrolled automatically</value>
   </data>
-</root>
+  <data name="IdpArtifactResolutionServiceUrlInvalid" xml:space="preserve">
+    <value>Artifact resolution service URL contains illegal characters.</value>
+  </data>
+  <data name="IdpSingleLogoutServiceUrlInvalid" xml:space="preserve">
+    <value>Single log out service URL contains illegal characters.</value>
+  </data>
+  <data name="IdpSingleSignOnServiceUrlInvalid" xml:space="preserve">
+    <value>Single sign on service URL contains illegal characters.</value>
+  </data>
+</root>
\ No newline at end of file