add proper URI validation to duo host (#1984)

2024-11-24 12:35:25 +01:00 · 2022-05-09 12:00:05 -04:00 · 2022-05-09 12:00:05 -04:00 · a5bfc0554b
commit a5bfc0554b
parent 43be1d3647
2 changed files with 20 additions and 1 deletions
--- a/src/Api/Models/Request/TwoFactorRequestModels.cs
+++ b/src/Api/Models/Request/TwoFactorRequestModels.cs
@ -105,7 +105,7 @@ namespace Bit.Api.Models.Request

        public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
        {
-            if (!Host.StartsWith("api-") || (!Host.EndsWith(".duosecurity.com") && !Host.EndsWith(".duofederal.com")))
+            if (!Core.Utilities.Duo.DuoApi.ValidHost(Host))
            {
                yield return new ValidationResult("Host is invalid.", new string[] { nameof(Host) });
            }
--- a/src/Core/Utilities/DuoApi.cs
+++ b/src/Core/Utilities/DuoApi.cs
@ -35,6 +35,21 @@ namespace Bit.Core.Utilities.Duo
            _ikey = ikey;
            _skey = skey;
            _host = host;
+
+            if (!ValidHost(host))
+            {
+                throw new DuoException("Invalid Duo host configured.", new ArgumentException(nameof(host)));
+            }
+        }
+
+        public static bool ValidHost(string host)
+        {
+            if (Uri.TryCreate($"https://{host}", UriKind.Absolute, out var uri))
+            {
+                return uri.Host.StartsWith("api-") &&
+                    (uri.Host.EndsWith(".duosecurity.com") || uri.Host.EndsWith(".duofederal.com"));
+            }
+            return false;
        }

        public static string CanonicalizeParams(Dictionary<string, string> parameters)
@ -246,6 +261,10 @@ namespace Bit.Core.Utilities.Duo
    {
        public int HttpStatus { get; private set; }

+        public DuoException(string message, Exception inner)
+            : base(message, inner)
+        { }
+
        public DuoException(int httpStatus, string message, Exception inner)
            : base(message, inner)
        {