Untrusted data (data entered by a user), should always be treated as though it contains attack code.
This data should not be sent anywhere without taking the necessary steps to detect and neutralise the malicious code.
With applications becoming more interconnected, attacks being buried in user input and decoded and/or executed by a downstream interpreter is becoming all the more common.
Input validation, that’s restricting user input to allow only certain white listed characters and restricting field lengths are only two forms of defence.
Any decent attacker can get around client side validation, so you need to employ defence in depth.
validation and escaping also needs to be performed on the server side.
Leveraging existing libraries
- Microsofts AntiXSS is not extensible,
it doesn’t allow the user to define their own whitelist.
It didn’t allow me to add behaviour to the routines.
I want to know how many instances of HTML encoded values there were.
There was certainly a lot of code in there, but I didn’t find it very useful. - The OWASP encoding project (Reform)(as mentioned in part 1 of this series).
This is quite a useful set of projects for different technologies. - System.Net.WebUtility from the System.Web.dll.
Now this did most of what I needed other than provide me with fine grained information of what had been tampered with.
So I took it and extended it slightly.
We hadn’t employed AOP at this stage and it wasn’t considered important enough to invest the time to do so.
So it was a matter of copy past modify.
What’s the point in client side validation if the server has to do it again anyway?
Now there are arguments both ways for this.
My current take on this for the project in question was:
If you only have server side validation, the client side is less responsive and user friendly.
If you only have client side validation, it’s out of our control.
This also gives fuel to the argument of using JavaScript on the client and server side (with the likes of node.js).
So the same code can be used both sides without having to code the same validation in two different languages.
Personally I find writing validation code easier using JavaScript than C#.
This maybe just because I’ve been writing considerably more JavaScript than C# lately though.
The code
I drew a sequence diagram of how this should work, but it got lost in a move.
So I wasn’t keen on doing it again, as the code had already been done.
In saying that, the code has reasonably good documentation (I think).
Code is king, providing it has been written to be read.
If you notice any of the escaping isn’t quite making sense, it could be the blogging engine either doing what it’s meant to, or not doing what it’s meant to.
I’ve been over the code a few times, but I may have missed something.
Shout out if anything’s not clear.
First up, we’ll look at the custom exceptions as we’ll need those soon.
using System;
namespace Common.WcfHelpers.ErrorHandling.Exceptions
{
public abstract class WcfException : Exception
{
/// <summary>
/// In order to set the message for the client, set it here, or via the property directly in order to over ride default value.
/// </summary>
/// <param name="message">The message to be assigned to the Exception's Message.</param>
/// <param name="innerException">The exception to be assigned to the Exception's InnerException.</param>
/// <param name="messageForClient">The client friendly message. This parameter is optional, but should be set.</param>
public WcfException(string message, Exception innerException = null, string messageForClient = null) : base(message, innerException)
{
MessageForClient = messageForClient;
}
/// <summary>
/// This is the message that the service's client will see.
/// Make sure it is set in the constructor. Or here.
/// </summary>
public string MessageForClient
{
get { return string.IsNullOrEmpty(_messageForClient) ? "The MessageForClient property of WcfException was not set" : _messageForClient; }
set { _messageForClient = value; }
}
private string _messageForClient;
}
}
And the more specific SanitisationWcfException
using System;
using System.Configuration;
namespace Common.WcfHelpers.ErrorHandling.Exceptions
{
/// <summary>
/// Exception class that is used when the user input sanitisation fails, and the user needs to be informed.
/// </summary>
public class SanitisationWcfException : WcfException
{
private const string _defaultMessageForClient = "Answers were NOT saved. User input validation was unsuccessful.";
public string UnsanitisedAnswer { get; private set; }
/// <summary>
/// In order to set the message for the client, set it here, or via the property directly in order to over ride default value.
/// </summary>
/// <param name="message">The message to be assigned to the Exception's Message.</param>
/// <param name="innerException">The Exception to be assigned to the base class instance's inner exception. This parameter is optional.</param>
/// <param name="messageForClient">The client friendly message. This parameter is optional, but should be set.</param>
/// <param name="unsanitisedAnswer">The user input string before service side sanitisatioin is performed.</param>
public SanitisationWcfException
(
string message,
Exception innerException = null,
string messageForClient = _defaultMessageForClient,
string unsanitisedAnswer = null
)
: base(
message,
innerException,
messageForClient + " If this continues to happen, please contact " + ConfigurationManager.AppSettings["SupportEmail"] + Environment.NewLine
)
{
UnsanitisedAnswer = unsanitisedAnswer;
}
}
}
Now as we define whether our requirements are satisfied by way of executable requirements (unit tests(in their rawest form))
Lets write some executable specifications.
using NUnit.Framework;
using Common.Security.Sanitisation;
namespace Common.Security.Encoding.UnitTest
{
[TestFixture]
public class ExtensionsTest
{
private readonly string _inNeedOfEscaping = @"One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.";
private readonly string _noNeedForEscaping = @"One x2F two amp three x27 four lt five quot six gt .";
[Test]
public void SingleDecodeDoubleEncodedHtml_ShouldSingleDecodeDoubleEncodedHtml()
{
string doubleEncodedHtml = @""; // between the ""'s we have a string of Html with double escaped values like &#x27; user entered text &#x2F.
string singleEncodedHtmlShouldLookLike = @""; // between the ""'s we have a string of Html with single escaped values like ' user entered text /.
// In the above, the bloging engine is escaping the sinlge escaped entity encoding, so all you'll see is the entity it self.
// but it should look like the double encoded entity encodings without the first &->;
string singleEncodedHtml = doubleEncodedHtml.SingleDecodeDoubleEncodedHtml();
Assert.That(singleEncodedHtml, Is.EqualTo(singleEncodedHtmlShouldLookLike));
}
[Test]
public void Extensions_CompliesWithWhitelist_ShouldNotComply()
{
Assert.That(_inNeedOfEscaping.CompliesWithWhitelist(whiteList: @"^[\w\s\.,]+$"), Is.False);
}
[Test]
public void Extensions_CompliesWithWhitelist_ShouldComply()
{
Assert.That(_noNeedForEscaping.CompliesWithWhitelist(whiteList: @"^[\w\s\.,]+$"), Is.True);
Assert.That(_inNeedOfEscaping.CompliesWithWhitelist(whiteList: @"^[\w\s\.,#/&'<"">]+$"), Is.True);
}
}
}
Now the code that satisfies the above executable specifications, and more.
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Text.RegularExpressions;
namespace Common.Security.Sanitisation
{
/// <summary>
/// Provides a series of extension methods that perform sanitisation.
/// Escaping, unescaping, etc.
/// Usually targeted at user input, to help defend against the likes of XSS and other injection attacks.
/// </summary>
public static class Extensions
{
private const int CharacterIndexNotFound = -1;
/// <summary>
/// Returns a new string in which all occurrences of a double escaped html character (that's an html entity immediatly prefixed with another html entity)
/// in the current instance are replaced with the single escaped character.
/// </summary>
/// <param name="source">The target text used to strip one layer of Html entity encoding.</param>
/// <returns>The singly escaped text.</returns>
public static string SingleDecodeDoubleEncodedHtml(this string source)
{
return source.Replace("&#x", "&#x");
}
/// <summary>
/// Filter a text against a regular expression whitelist of specified characters.
/// </summary>
/// <param name="target">The text that is filtered using the whitelist.</param>
/// <param name="alternativeTarget"></param>
/// <param name="whiteList">Needs to be be assigned a valid whitelist, otherwise nothing gets through.</param>
public static bool CompliesWithWhitelist(this string target, string alternativeTarget = "", string whiteList = "")
{
if (string.IsNullOrEmpty(target))
target = alternativeTarget;
return Regex.IsMatch(target, whiteList);
}
/// <summary>
/// Takes a string and returns another with a single layer of Html entity encoding replaced with it's Html entity literals.
/// </summary>
/// <param name="encodedUserInput">The text to perform the opperation on.</param>
/// <param name="numberOfEscapes">The number of Html entity encodings that were replaced.</param>
/// <returns>The text that's had a single layer of Html entity encoding replaced with it's Html entity literals.</returns>
public static string HtmlDecode(this string encodedUserInput, ref int numberOfEscapes)
{
const int NotFound = -1;
if (string.IsNullOrEmpty(encodedUserInput))
return string.Empty;
StringWriter output = new StringWriter(CultureInfo.InvariantCulture);
if (encodedUserInput.IndexOf('&') == NotFound)
{
output.Write(encodedUserInput);
}
else
{
int length = encodedUserInput.Length;
for (int index1 = 0; index1 < length; ++index1)
{
char ch1 = encodedUserInput[index1];
if (ch1 == 38)
{
int index2 = encodedUserInput.IndexOfAny(_htmlEntityEndingChars, index1 + 1);
if (index2 > 0 && encodedUserInput[index2] == 59)
{
string entity = encodedUserInput.Substring(index1 + 1, index2 - index1 - 1);
if (entity.Length > 1 && entity[0] == 35)
{
ushort result;
if (entity[1] == 120 || entity[1] == 88)
ushort.TryParse(entity.Substring(2), NumberStyles.AllowHexSpecifier, NumberFormatInfo.InvariantInfo, out result);
else
ushort.TryParse(entity.Substring(1), NumberStyles.AllowLeadingWhite | NumberStyles.AllowTrailingWhite | NumberStyles.AllowLeadingSign, NumberFormatInfo.InvariantInfo, out result);
if (result != 0)
{
ch1 = (char)result;
numberOfEscapes++;
index1 = index2;
}
}
else
{
index1 = index2;
char ch2 = HtmlEntities.Lookup(entity);
if ((int)ch2 != 0)
{
ch1 = ch2;
numberOfEscapes++;
}
else
{
output.Write('&');
output.Write(entity);
output.Write(';');
continue;
}
}
}
}
output.Write(ch1);
}
}
string decodedHtml = output.ToString();
output.Dispose();
return decodedHtml;
}
/// <summary>
/// Escapes all character entity references (double escaping where necessary).
/// Why? The XmlTextReader that is setup in XmlDocument.LoadXml on the service considers the character entity references (&#xxxx;) to be the character they represent.
/// All XML is converted to unicode on reading and any such entities are removed in favor of the unicode character they represent.
/// </summary>
/// <param name="unencodedUserInput">The string that needs to be escaped.</param>
/// <param name="numberOfEscapes">The number of escapes applied.</param>
/// <returns>The escaped text.</returns>
public static unsafe string HtmlEncode(this string unencodedUserInput, ref int numberOfEscapes)
{
if (string.IsNullOrEmpty(unencodedUserInput))
return string.Empty;
StringWriter output = new StringWriter(CultureInfo.InvariantCulture);
if (output == null)
throw new ArgumentNullException("output");
int num1 = IndexOfHtmlEncodingChars(unencodedUserInput);
if (num1 == -1)
{
output.Write(unencodedUserInput);
}
else
{
int num2 = unencodedUserInput.Length - num1;
fixed (char* chPtr1 = unencodedUserInput)
{
char* chPtr2 = chPtr1;
while (num1-- > 0)
output.Write(*chPtr2++);
while (num2-- > 0)
{
char ch = *chPtr2++;
if (ch <= 62)
{
switch (ch)
{
case '"':
output.Write(""");
numberOfEscapes++;
continue;
case '&':
output.Write("&");
numberOfEscapes++;
continue;
case '\'':
output.Write("&#x27;");
numberOfEscapes = numberOfEscapes + 2;
continue;
case '<':
output.Write("<");
numberOfEscapes++;
continue;
case '>':
output.Write(">");
numberOfEscapes++;
continue;
case '/':
output.Write("&#x2F;");
numberOfEscapes = numberOfEscapes + 2;
continue;
default:
output.Write(ch);
continue;
}
}
if (ch >= 160 && ch < 256)
{
output.Write("&#");
output.Write(((int)ch).ToString(NumberFormatInfo.InvariantInfo));
output.Write(';');
numberOfEscapes++;
}
else
output.Write(ch);
}
}
}
string encodedHtml = output.ToString();
output.Dispose();
return encodedHtml;
}
private static unsafe int IndexOfHtmlEncodingChars(string searchString)
{
int num = searchString.Length;
fixed (char* chPtr1 = searchString)
{
char* chPtr2 = (char*)((UIntPtr)chPtr1);
for (; num > 0; --num)
{
char ch = *chPtr2;
if (ch <= 62)
{
switch (ch)
{
case '"':
case '&':
case '\'':
case '<':
case '>':
case '/':
return searchString.Length - num;
}
}
else if (ch >= 160 && ch < 256)
return searchString.Length - num;
++chPtr2;
}
}
return CharacterIndexNotFound;
}
private static char[] _htmlEntityEndingChars = new char[2]
{
';',
'&'
};
private static class HtmlEntities
{
private static string[] _entitiesList = new string[253]
{
"\"-quot",
"&-amp",
"'-apos",
"<-lt",
">-gt",
" -nbsp",
"¡-iexcl",
"¢-cent",
"£-pound",
"¤-curren",
"¥-yen",
"¦-brvbar",
"§-sect",
"¨-uml",
"©-copy",
"ª-ordf",
"«-laquo",
"¬-not",
"\x00AD-shy",
"®-reg",
"¯-macr",
"°-deg",
"±-plusmn",
"\x00B2-sup2",
"\x00B3-sup3",
"´-acute",
"µ-micro",
"¶-para",
"·-middot",
"¸-cedil",
"\x00B9-sup1",
"º-ordm",
"»-raquo",
"\x00BC-frac14",
"\x00BD-frac12",
"\x00BE-frac34",
"¿-iquest",
"À-Agrave",
"Á-Aacute",
"Â-Acirc",
"Ã-Atilde",
"Ä-Auml",
"Å-Aring",
"Æ-AElig",
"Ç-Ccedil",
"È-Egrave",
"É-Eacute",
"Ê-Ecirc",
"Ë-Euml",
"Ì-Igrave",
"Í-Iacute",
"Î-Icirc",
"Ï-Iuml",
"Ð-ETH",
"Ñ-Ntilde",
"Ò-Ograve",
"Ó-Oacute",
"Ô-Ocirc",
"Õ-Otilde",
"Ö-Ouml",
"×-times",
"Ø-Oslash",
"Ù-Ugrave",
"Ú-Uacute",
"Û-Ucirc",
"Ü-Uuml",
"Ý-Yacute",
"Þ-THORN",
"ß-szlig",
"à-agrave",
"á-aacute",
"â-acirc",
"ã-atilde",
"ä-auml",
"å-aring",
"æ-aelig",
"ç-ccedil",
"è-egrave",
"é-eacute",
"ê-ecirc",
"ë-euml",
"ì-igrave",
"í-iacute",
"î-icirc",
"ï-iuml",
"ð-eth",
"ñ-ntilde",
"ò-ograve",
"ó-oacute",
"ô-ocirc",
"õ-otilde",
"ö-ouml",
"÷-divide",
"ø-oslash",
"ù-ugrave",
"ú-uacute",
"û-ucirc",
"ü-uuml",
"ý-yacute",
"þ-thorn",
"ÿ-yuml",
"Œ-OElig",
"œ-oelig",
"Š-Scaron",
"š-scaron",
"Ÿ-Yuml",
"ƒ-fnof",
"\x02C6-circ",
"˜-tilde",
"Α-Alpha",
"Β-Beta",
"Γ-Gamma",
"Δ-Delta",
"Ε-Epsilon",
"Ζ-Zeta",
"Η-Eta",
"Θ-Theta",
"Ι-Iota",
"Κ-Kappa",
"Λ-Lambda",
"Μ-Mu",
"Ν-Nu",
"Ξ-Xi",
"Ο-Omicron",
"Π-Pi",
"Ρ-Rho",
"Σ-Sigma",
"Τ-Tau",
"Υ-Upsilon",
"Φ-Phi",
"Χ-Chi",
"Ψ-Psi",
"Ω-Omega",
"α-alpha",
"β-beta",
"γ-gamma",
"δ-delta",
"ε-epsilon",
"ζ-zeta",
"η-eta",
"θ-theta",
"ι-iota",
"κ-kappa",
"λ-lambda",
"μ-mu",
"ν-nu",
"ξ-xi",
"ο-omicron",
"π-pi",
"ρ-rho",
"ς-sigmaf",
"σ-sigma",
"τ-tau",
"υ-upsilon",
"φ-phi",
"χ-chi",
"ψ-psi",
"ω-omega",
"ϑ-thetasym",
"ϒ-upsih",
"ϖ-piv",
" -ensp",
" -emsp",
" -thinsp",
"\x200C-zwnj",
"\x200D-zwj",
"\x200E-lrm",
"\x200F-rlm",
"–-ndash",
"—-mdash",
"‘-lsquo",
"’-rsquo",
"‚-sbquo",
"“-ldquo",
"”-rdquo",
"„-bdquo",
"†-dagger",
"‡-Dagger",
"•-bull",
"…-hellip",
"‰-permil",
"′-prime",
"″-Prime",
"‹-lsaquo",
"›-rsaquo",
"‾-oline",
"⁄-frasl",
"€-euro",
"ℑ-image",
"℘-weierp",
"ℜ-real",
"™-trade",
"ℵ-alefsym",
"←-larr",
"↑-uarr",
"→-rarr",
"↓-darr",
"↔-harr",
"↵-crarr",
"⇐-lArr",
"⇑-uArr",
"⇒-rArr",
"⇓-dArr",
"⇔-hArr",
"∀-forall",
"∂-part",
"∃-exist",
"∅-empty",
"∇-nabla",
"∈-isin",
"∉-notin",
"∋-ni",
"∏-prod",
"∑-sum",
"−-minus",
"∗-lowast",
"√-radic",
"∝-prop",
"∞-infin",
"∠-ang",
"∧-and",
"∨-or",
"∩-cap",
"∪-cup",
"∫-int",
"∴-there4",
"∼-sim",
"≅-cong",
"≈-asymp",
"≠-ne",
"≡-equiv",
"≤-le",
"≥-ge",
"⊂-sub",
"⊃-sup",
"⊄-nsub",
"⊆-sube",
"⊇-supe",
"⊕-oplus",
"⊗-otimes",
"⊥-perp",
"⋅-sdot",
"⌈-lceil",
"⌉-rceil",
"⌊-lfloor",
"⌋-rfloor",
"〈-lang",
"〉-rang",
"◊-loz",
"♠-spades",
"♣-clubs",
"♥-hearts",
"♦-diams"
};
private static Dictionary<string, char> _lookupTable = GenerateLookupTable();
private static Dictionary<string, char> GenerateLookupTable()
{
Dictionary<string, char> dictionary = new Dictionary<string, char>(StringComparer.Ordinal);
foreach (string str in _entitiesList)
dictionary.Add(str.Substring(2), str[0]);
return dictionary;
}
public static char Lookup(string entity)
{
char ch;
_lookupTable.TryGetValue(entity, out ch);
return ch;
}
}
}
}
You may also notice that I’ve mocked the OperationContext.
Thanks to WCFMock, a mocking framework for WCF services.
I won’t include this code, but you can get it here.
I’ve used the popular NUnit test framework and RhinoMocks for the stubbing and mocking.
Both pulled into the solution using NuGet.
Most useful documentation for RhinoMocks:
http://ayende.com/Wiki/Rhino+Mocks+3.5.ashx
http://ayende.com/wiki/Rhino+Mocks.ashx
For this project I used NLog and wrapped it.
Now you start to get an idea of how to use the sanitisation.
using System;
using System.ServiceModel;
using System.ServiceModel.Channels;
using NUnit.Framework;
using System.Configuration;
using Rhino.Mocks;
using Common.Wrapper.Log;
using MockedOperationContext = System.ServiceModel.Web.MockedOperationContext;
using Common.WcfHelpers.ErrorHandling.Exceptions;
namespace Sanitisation.UnitTest
{
[TestFixture]
public class SanitiseTest
{
private const string _myTestIpv4Address = "My.Test.Ipv4.Address";
private readonly int _maxLengthHtmlEncodedUserInput = int.Parse(ConfigurationManager.AppSettings["MaxLengthHtmlEncodedUserInput"]);
private readonly int _maxLengthHtmlDecodedUserInput = int.Parse(ConfigurationManager.AppSettings["MaxLengthHtmlDecodedUserInput"]);
private readonly string _encodedUserInput_thatsMaxDecodedLength = @"One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.
One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.
One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.
One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.
One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.
One #x2F &#x2F; two amp & three #x27 &#x27; four lt < five quot " six gt >.";
private readonly string _decodedUserInput_thatsMaxLength = @"One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.
One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.
One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.
One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.
One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.
One #x2F / two amp & three #x27 ' four lt < five quot "" six gt >.";
[Test]
public void Sanitise_UserInput_WhenGivenNull_ShouldReturnEmptyString()
{
Assert.That(new Sanitise().UserInput(null), Is.EqualTo(string.Empty));
}
[Test]
public void Sanitise_UserInput_WhenGivenEmptyString_ShouldReturnEmptyString()
{
Assert.That(new Sanitise().UserInput(string.Empty), Is.EqualTo(string.Empty));
}
[Test]
public void Sanitise_UserInput_WhenGivenSanitisedString_ShouldReturnSanitisedString()
{
// Open the whitelist up in order to test the encoding without restriction.
Assert.That(new Sanitise(whiteList: @"^[\w\s\.,#/&'<"">]+$").UserInput(_encodedUserInput_thatsMaxDecodedLength), Is.EqualTo(_encodedUserInput_thatsMaxDecodedLength));
}
[Test]
[ExpectedException(typeof(SanitisationWcfException))]
public void Sanitise_UserInput_ShouldThrowExceptionIfEscapedInputToLong()
{
string fourThousandAndOneCharacters = "Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand characters. Four thousand character";
string expectedError = "The un-modified string received from the client with the following IP address: " +
'"' + _myTestIpv4Address + "\" " +
"exceeded the allowed maximum length of an escaped Html user input string. " +
"The maximum length allowed is: " +
_maxLengthHtmlEncodedUserInput +
". The length was: " +
(_maxLengthHtmlEncodedUserInput+1) + ".";
using(new MockedOperationContext(StubbedOperationContext))
{
try
{
new Sanitise().UserInput(fourThousandAndOneCharacters);
}
catch(SanitisationWcfException e)
{
Assert.That(e.Message, Is.EqualTo(expectedError));
Assert.That(e.UnsanitisedAnswer, Is.EqualTo(fourThousandAndOneCharacters));
throw;
}
}
}
[Test]
[ExpectedException(typeof(SanitisationWcfException))]
public void Sanitise_UserInput_DecodedUserInputShouldThrowException_WhenMaxLengthHtmlDecodedUserInputIsExceeded()
{
char oneCharOverTheLimit = '.';
string expectedError =
"The string received from the client with the following IP address: " +
"\"" + _myTestIpv4Address + "\" " +
"after Html decoding exceded the allowed maximum length of an un-escaped Html user input string." +
Environment.NewLine +
"The maximum length allowed is: " + _maxLengthHtmlDecodedUserInput + ". The length was: " +
(_decodedUserInput_thatsMaxLength + oneCharOverTheLimit).Length + oneCharOverTheLimit;
using(new MockedOperationContext(StubbedOperationContext))
{
try
{
new Sanitise().UserInput(_encodedUserInput_thatsMaxDecodedLength + oneCharOverTheLimit);
}
catch(SanitisationWcfException e)
{
Assert.That(e.Message, Is.EqualTo(expectedError));
Assert.That(e.UnsanitisedAnswer, Is.EqualTo(_encodedUserInput_thatsMaxDecodedLength + oneCharOverTheLimit));
throw;
}
}
}
[Test]
public void Sanitise_UserInput_ShouldLogAndSendEmail_IfNumberOfDecodedHtmlEntitiesDoesNotMatchNumberOfEscapes()
{
string encodedUserInput_with6HtmlEntitiesNotEscaped = _encodedUserInput_thatsMaxDecodedLength.Replace("&#x2F;", "/");
string errorWeAreExpecting =
"It appears as if someone has circumvented the client side Html entity encoding." + Environment.NewLine +
"The requesting IP address was: " +
"\"" + _myTestIpv4Address + "\" " +
"The sanitised input we receive from the client was the following:" + Environment.NewLine +
"\"" + encodedUserInput_with6HtmlEntitiesNotEscaped + "\"" + Environment.NewLine +
"The same input after decoding and re-escaping on the server side was the following:" + Environment.NewLine +
"\"" + _encodedUserInput_thatsMaxDecodedLength + "\"";
string sanitised;
// setup _logger
ILogger logger = MockRepository.GenerateMock<ILogger>();
logger.Expect(lgr => lgr.logError(errorWeAreExpecting));
Sanitise sanitise = new Sanitise(@"^[\w\s\.,#/&'<"">]+$", logger);
using (new MockedOperationContext(StubbedOperationContext))
{
// Open the whitelist up in order to test the encoding etc.
sanitised = sanitise.UserInput(encodedUserInput_with6HtmlEntitiesNotEscaped);
}
Assert.That(sanitised, Is.EqualTo(_encodedUserInput_thatsMaxDecodedLength));
logger.VerifyAllExpectations();
}
private static IOperationContext StubbedOperationContext
{
get
{
IOperationContext operationContext = MockRepository.GenerateStub<IOperationContext>();
int port = 80;
RemoteEndpointMessageProperty remoteEndpointMessageProperty = new RemoteEndpointMessageProperty(_myTestIpv4Address, port);
operationContext.Stub(oc => oc.IncomingMessageProperties[RemoteEndpointMessageProperty.Name]).Return(remoteEndpointMessageProperty);
return operationContext;
}
}
}
}
Now the API code that we can use to do our sanitisation.
using System;
using System.Configuration;
// Todo : KC We need time to implement DI. Should be using something like ninject.extensions.wcf.
using OperationContext = System.ServiceModel.Web.MockedOperationContext;
using System.ServiceModel.Channels;
using Common.Security.Sanitisation;
using Common.WcfHelpers.ErrorHandling.Exceptions;
using Common.Wrapper.Log;
namespace Sanitisation
{
public class Sanitise
{
private readonly string _whiteList;
private readonly ILogger _logger;
private string RequestingIpAddress
{
get
{
RemoteEndpointMessageProperty remoteEndpointMessageProperty = OperationContext.Current.IncomingMessageProperties[RemoteEndpointMessageProperty.Name] as RemoteEndpointMessageProperty;
return ((remoteEndpointMessageProperty != null) ? remoteEndpointMessageProperty.Address : string.Empty);
}
}
/// <summary>
/// Provides server side escaping of Html entities, and runs the supplied whitelist character filter over the user input string.
/// </summary>
/// <param name="whiteList">Should be provided by DI from the ResourceFile.</param>
/// <param name="logger">Should be provided by DI. Needs to be an asynchronous logger.</param>
/// <example>
/// The whitelist can be obtained from a ResourceFile like so...
/// <code>
/// private Resource _resource;
/// _resource.GetString("WhiteList");
/// </code>
/// </example>
public Sanitise(string whiteList = "", ILogger logger = null)
{
_whiteList = whiteList;
_logger = logger ?? new Logger();
}
/// <summary>
/// 1) Check field lengths. Client side validation may have been negated.
/// 2) Check against white list. Client side validation may have been negated.
/// 3) Check Html escaping. Client side validation may have been negated.
/// Generic Fail actions: Drop the payload. No point in trying to massage and save, as it won't be what the user was expecting,
/// Add full error to a WCFException Message and throw.
/// WCF interception reads the WCFException.MessageForClient, and sends it to the user.
/// On return, log the WCFException's Message.
///
/// Escape Fail actions: Asynchronously Log and email full error to support.
/// 1) BA confirmed 50 for text, and 400 for textarea.
/// As we don't know the field type, we'll have to go for 400."
///
/// First we need to check that we haven't been sent some huge string.
/// So we check that the string isn't longer than 400 * 10 = 4000.
/// 10 is the length of our double escaped character references.
/// Or, we ask the business for a number."
/// If we fail here, perform Generic Fail actions and don't complete the following steps.
///
/// Convert all Html Entity Encodings back to their equivalent characters, and count how many occurrences.
///
/// If the string is longer than 400, perform Generic Fail actions and don't complete the following steps.
///
/// 2) check all characters against the white list
/// If any don't match, perform Generic Fail actions and don't complete the following steps.
///
/// 3) re html escape (as we did in JavaScript), and count how many escapes.
/// If count is greater than the count of Html Entity Encodings back to their equivalent characters,
/// Perform Escape Fail actions. Return sanitised string.
///
/// If we haven't returned, return sanitised string.
/// Performs checking on the text passed in, to verify that client side escaping and whitelist validation has already been performed.
/// Performs decoding, and re-encodes. Counts that the number of escapes was the same, otherwise we log and send email with the details to support.
/// Throws exception if the client side validation failed to restrict the number of characters in the escaped string we received.
/// This needs to be intercepted at the service.
/// The exceptions default message for client needs to be passed back to the user.
/// On return, the interception needs to log the exception's message.
/// </summary>
/// <param name="sanitiseMe"></param>
/// <returns></returns>
public string UserInput(string sanitiseMe)
{
if (string.IsNullOrEmpty(sanitiseMe))
return string.Empty;
ThrowExceptionIfEscapedInputToLong(sanitiseMe);
int numberOfDecodedHtmlEntities = 0;
string decodedUserInput = HtmlDecodeUserInput(sanitiseMe, ref numberOfDecodedHtmlEntities);
if(!decodedUserInput.CompliesWithWhitelist(whiteList: _whiteList))
{
string error = "The answer received from client with the following IP address: " +
"\"" + RequestingIpAddress + "\" " +
"had characters that failed to match the whitelist.";
throw new SanitisationWcfException(error);
}
int numberOfEscapes = 0;
string sanitisedUserInput = decodedUserInput.HtmlEncode(ref numberOfEscapes);
if(numberOfEscapes != numberOfDecodedHtmlEntities)
{
AsyncLogAndEmail(sanitiseMe, sanitisedUserInput);
}
return sanitisedUserInput;
}
/// <note>
/// Make sure the logger is setup to log asynchronously
/// </note>
private void AsyncLogAndEmail(string sanitiseMe, string sanitisedUserInput)
{
// no need for SanitisationException
_logger.logError(
"It appears as if someone has circumvented the client side Html entity encoding." + Environment.NewLine +
"The requesting IP address was: " +
"\"" + RequestingIpAddress + "\" " +
"The sanitised input we receive from the client was the following:" + Environment.NewLine +
"\"" + sanitiseMe + "\"" + Environment.NewLine +
"The same input after decoding and re-escaping on the server side was the following:" + Environment.NewLine +
"\"" + sanitisedUserInput + "\""
);
}
/// <summary>
/// This procedure may throw a SanitisationWcfException.
/// If it does, ErrorHandlerBehaviorAttribute will need to pass the "messageForClient" back to the client from within the IErrorHandler.ProvideFault procedure.
/// Once execution is returned, the IErrorHandler.HandleError procedure of ErrorHandlerBehaviorAttribute
/// will continue to process the exception that was thrown in the way of logging sensitive info.
/// </summary>
/// <param name="toSanitise"></param>
private void ThrowExceptionIfEscapedInputToLong(string toSanitise)
{
int maxLengthHtmlEncodedUserInput = int.Parse(ConfigurationManager.AppSettings["MaxLengthHtmlEncodedUserInput"]);
if (toSanitise.Length > maxLengthHtmlEncodedUserInput)
{
string error = "The un-modified string received from the client with the following IP address: " +
"\"" + RequestingIpAddress + "\" " +
"exceeded the allowed maximum length of an escaped Html user input string. " +
"The maximum length allowed is: " +
maxLengthHtmlEncodedUserInput +
". The length was: " +
toSanitise.Length + ".";
throw new SanitisationWcfException(error, unsanitisedAnswer: toSanitise);
}
}
private string HtmlDecodeUserInput(string doubleEncodedUserInput, ref int numberOfDecodedHtmlEntities)
{
string decodedUserInput = doubleEncodedUserInput.HtmlDecode(ref numberOfDecodedHtmlEntities).HtmlDecode(ref numberOfDecodedHtmlEntities) ?? string.Empty;
// if the decoded string is longer than MaxLengthHtmlDecodedUserInput throw
int maxLengthHtmlDecodedUserInput = int.Parse(ConfigurationManager.AppSettings["MaxLengthHtmlDecodedUserInput"]);
if(decodedUserInput.Length > maxLengthHtmlDecodedUserInput)
{
throw new SanitisationWcfException(
"The string received from the client with the following IP address: " +
"\"" + RequestingIpAddress + "\" " +
"after Html decoding exceded the allowed maximum length of an un-escaped Html user input string." +
Environment.NewLine +
"The maximum length allowed is: " + maxLengthHtmlDecodedUserInput + ". The length was: " +
decodedUserInput.Length + ".",
unsanitisedAnswer: doubleEncodedUserInput
);
}
return decodedUserInput;
}
}
}
As you can see, there’s a lot more work in the server side sanitisation than the client side.
Binarymist 