check corr_id in correct format.

antrix1989 · antrix1989 · commit 397e42fe9fe0 · 2025-09-05T15:45:58.000-07:00
diff --git a/IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageGetTokenRequest.m b/IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageGetTokenRequest.m
@@ -159,7 +159,13 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
 
     if (![requestJson msidAssertType:NSString.class ofKey:MSID_BROWSER_NATIVE_MESSAGE_CORRELATION_KEY required:NO error:error]) return nil;
     NSString *uuidString = requestJson[MSID_BROWSER_NATIVE_MESSAGE_CORRELATION_KEY];
-    _correlationId = uuidString ? [[NSUUID alloc] initWithUUIDString:uuidString] : [NSUUID UUID];
+    _correlationId = [[NSUUID alloc] initWithUUIDString:uuidString];
+    if (!_correlationId)
+    {
+        _correlationId = [NSUUID UUID];
+        MSID_LOG_WITH_CTX_PII(MSIDLogLevelWarning, nil, @"CorrelationID is invalid or not in UUID format: %@. Use new correlationId: %@", uuidString, _correlationId);
+    }
+    
     _platformSequence = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_PLATFORM_SEQUENCE_KEY];
     
     id canShowUIValue = requestJson[MSID_BROWSER_NATIVE_MESSAGE_CAN_SHOW_UI_KEY];
diff --git a/IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageSignOutRequest.m b/IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageSignOutRequest.m
@@ -62,7 +62,12 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
     // Parse correlationId from JSON - optional field
     if (![json msidAssertType:NSString.class ofKey:MSID_BROWSER_NATIVE_MESSAGE_CORRELATION_KEY required:NO error:error]) return nil;
     NSString *uuidString = [json msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CORRELATION_KEY];
-    _correlationId = uuidString ? [[NSUUID alloc] initWithUUIDString:uuidString] : [NSUUID UUID];
+    _correlationId = [[NSUUID alloc] initWithUUIDString:uuidString];
+    if (!_correlationId)
+    {
+        _correlationId = [NSUUID UUID];
+        MSID_LOG_WITH_CTX_PII(MSIDLogLevelWarning, nil, @"CorrelationID is invalid or not in UUID format: %@. Use new correlationId: %@", uuidString, _correlationId);
+    }
     
     return self;
 }
diff --git a/IdentityCore/tests/MSIDBrowserNativeMessageGetTokenRequestTests.m b/IdentityCore/tests/MSIDBrowserNativeMessageGetTokenRequestTests.m
@@ -126,6 +126,30 @@ - (void)testInitWithJSONDictionary_whenJsonValidAndRequiredOnlyFieldsProvided_sh
     XCTAssertNotNil(request.correlationId.UUIDString);
 }
 
+- (void)testInitWithJSONDictionary_whenCorrelationIdProvidedInWrongFormat_shouldGenerateCorrelationId
+{
+    __auto_type json = @{
+        @"sender": @"https://login.microsoft.com",
+        @"request": @{
+            @"clientId": @"29a788ca-7bcf-4732-b23c-c8d294347e5b",
+            @"scope": @"user.read openid profile offline_access",
+            @"redirectUri": @"https://login.microsoft.com",
+            @"correlationId": @"abc",
+        }
+    };
+    
+    NSError *error;
+    __auto_type request = [[MSIDBrowserNativeMessageGetTokenRequest alloc] initWithJSONDictionary:json error:&error];
+    
+    XCTAssertNil(error);
+    XCTAssertNotNil(request);
+    XCTAssertEqualObjects(@"29a788ca-7bcf-4732-b23c-c8d294347e5b", request.clientId);
+    XCTAssertEqualObjects(@"user.read openid profile offline_access", request.scopes);
+    XCTAssertEqualObjects(@"https://login.microsoft.com", request.redirectUri);
+    XCTAssertTrue(request.canShowUI);
+    XCTAssertNotNil(request.correlationId.UUIDString);
+}
+
 - (void)testInitWithJSONDictionary_whenAuthorityInvalid_shouldFail
 {
     __auto_type json = @{
diff --git a/IdentityCore/tests/MSIDBrowserNativeMessageSignOutRequestTests.m b/IdentityCore/tests/MSIDBrowserNativeMessageSignOutRequestTests.m
@@ -113,4 +113,24 @@ - (void)testInitWithJSONDictionary_whenCorrelationIdNotProvided_shouldGenerateCo
     XCTAssertNotNil(request.correlationId.UUIDString);
 }
 
+- (void)testInitWithJSONDictionary_whenCorrelationIdProvidedInWrongFormat_shouldGenerateCorrelationId
+{
+    __auto_type json = @{
+        @"method": @"SignOut",
+        @"accountId": @"uid.utid",
+        @"correlationId": @"abc",
+        @"sender": @"https://localhost:8000"
+    };
+    
+    NSError *error;
+    __auto_type request = [[MSIDBrowserNativeMessageSignOutRequest alloc] initWithJSONDictionary:json error:&error];
+    
+    XCTAssertNil(error);
+    XCTAssertNotNil(request);
+    XCTAssertEqualObjects(@"https://localhost:8000", request.sender.absoluteString);
+    XCTAssertEqualObjects(@"uid", request.accountId.uid);
+    XCTAssertEqualObjects(@"utid", request.accountId.utid);
+    XCTAssertNotNil(request.correlationId.UUIDString);
+}
+
 @end
