Merge source code from aspnet/BasicMiddleware

Author: Nate McMaster

src/Middleware/HostFiltering/sample/HostFilteringSample.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp2.1;net461</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.HostFiltering" />
+    <Reference Include="Microsoft.AspNetCore.Server.Kestrel" />
+    <Reference Include="Microsoft.Extensions.Configuration.Json" />
+    <Reference Include="Microsoft.Extensions.Logging.Console" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Content Update="appsettings.Development.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+    <Content Update="appsettings.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+    <Content Update="appsettings.Production.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+  </ItemGroup>
+
+</Project>

src/Middleware/HostFiltering/sample/Program.cs

@@ -0,0 +1,37 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+
+namespace HostFilteringSample
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            BuildWebHost(args).Run();
+        }
+
+        public static IWebHost BuildWebHost(string[] args)
+        {
+            var hostBuilder = new WebHostBuilder()
+                .ConfigureLogging((_, factory) =>
+                {
+                    factory.SetMinimumLevel(LogLevel.Debug);
+                    factory.AddConsole();
+                })
+                .ConfigureAppConfiguration((hostingContext, config) =>
+                {
+                    var env = hostingContext.HostingEnvironment;
+                    config.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
+                          .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true);
+                })
+                .UseKestrel()
+                .UseStartup<Startup>();
+
+            return hostBuilder.Build();
+        }
+    }
+}

src/Middleware/HostFiltering/sample/Properties/launchSettings.json

@@ -0,0 +1,27 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:14124/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "HostFilteringSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "http://localhost:14125/"
+    }
+  }
+}

src/Middleware/HostFiltering/sample/Startup.cs

@@ -0,0 +1,57 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.HostFiltering;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace HostFilteringSample
+{
+    public class Startup
+    {
+        public IConfiguration Config { get; }
+
+        public Startup(IConfiguration config)
+        {
+            Config = config;
+        }
+
+        public void ConfigureServices(IServiceCollection services)
+        {
+            services.AddHostFiltering(options =>
+            {
+
+            });
+
+            // Fallback
+            services.PostConfigure<HostFilteringOptions>(options =>
+            {
+                if (options.AllowedHosts == null || options.AllowedHosts.Count == 0)
+                {
+                    // "AllowedHosts": "localhost;127.0.0.1;[::1]"
+                    var hosts = Config["AllowedHosts"]?.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
+                    // Fall back to "*" to disable.
+                    options.AllowedHosts = (hosts?.Length > 0 ? hosts : new[] { "*" });
+                }
+            });
+            // Change notification
+            services.AddSingleton<IOptionsChangeTokenSource<HostFilteringOptions>>(new ConfigurationChangeTokenSource<HostFilteringOptions>(Config));
+        }
+
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        {
+            app.UseHostFiltering();
+
+            app.Run(context =>
+            {
+                return context.Response.WriteAsync("Hello World! " + context.Request.Host);
+            });
+        }
+    }
+}

src/Middleware/HostFiltering/sample/appsettings.Development.json

@@ -0,0 +1,3 @@
+{
+  "AllowedHosts": "localhost;127.0.0.1;[::1]"
+}

src/Middleware/HostFiltering/sample/appsettings.Production.json

@@ -0,0 +1,3 @@
+{
+  "AllowedHosts": "example.com;localhost"
+}

src/Middleware/HostFiltering/sample/appsettings.json

@@ -0,0 +1,3 @@
+{
+
+}

src/Middleware/HostFiltering/src/HostFilteringBuilderExtensions.cs

@@ -0,0 +1,32 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.HostFiltering;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    /// <summary>
+    /// Extension methods for the HostFiltering middleware.
+    /// </summary>
+    public static class HostFilteringBuilderExtensions
+    {
+        /// <summary>
+        /// Adds middleware for filtering requests by allowed host headers. Invalid requests will be rejected with a
+        /// 400 status code.
+        /// </summary>
+        /// <param name="app">The <see cref="IApplicationBuilder"/> instance this method extends.</param>
+        /// <returns>The original <see cref="IApplicationBuilder"/>.</returns>
+        public static IApplicationBuilder UseHostFiltering(this IApplicationBuilder app)
+        {
+            if (app == null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            app.UseMiddleware<HostFilteringMiddleware>();
+
+            return app;
+        }
+    }
+}

src/Middleware/HostFiltering/src/HostFilteringMiddleware.cs

@@ -0,0 +1,177 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+using Microsoft.Net.Http.Headers;
+
+namespace Microsoft.AspNetCore.HostFiltering
+{
+    /// <summary>
+    /// A middleware used to filter requests by their Host header.
+    /// </summary>
+    public class HostFilteringMiddleware
+    {
+        // Matches Http.Sys.
+        private static readonly byte[] DefaultResponse = Encoding.ASCII.GetBytes(
+            "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n"
+            + "<HTML><HEAD><TITLE>Bad Request</TITLE>\r\n"
+            + "<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></ HEAD >\r\n"
+            + "<BODY><h2>Bad Request - Invalid Hostname</h2>\r\n"
+            + "<hr><p>HTTP Error 400. The request hostname is invalid.</p>\r\n"
+            + "</BODY></HTML>");
+
+        private readonly RequestDelegate _next;
+        private readonly ILogger<HostFilteringMiddleware> _logger;
+        private readonly IOptionsMonitor<HostFilteringOptions> _optionsMonitor;
+        private HostFilteringOptions _options;
+        private IList<StringSegment> _allowedHosts;
+        private bool? _allowAnyNonEmptyHost;
+
+        /// <summary>
+        /// A middleware used to filter requests by their Host header.
+        /// </summary>
+        /// <param name="next"></param>
+        /// <param name="logger"></param>
+        /// <param name="optionsMonitor"></param>
+        public HostFilteringMiddleware(RequestDelegate next, ILogger<HostFilteringMiddleware> logger, 
+            IOptionsMonitor<HostFilteringOptions> optionsMonitor)
+        {
+            _next = next ?? throw new ArgumentNullException(nameof(next));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+            _optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
+            _options = _optionsMonitor.CurrentValue;
+            _optionsMonitor.OnChange(options =>
+            {
+                // Clear the cached settings so the next EnsureConfigured will re-evaluate.
+                _options = options;
+                _allowedHosts = new List<StringSegment>();
+                _allowAnyNonEmptyHost = null;
+            });
+        }
+
+        /// <summary>
+        /// Processes requests
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns></returns>
+        public Task Invoke(HttpContext context)
+        {
+            var allowedHosts = EnsureConfigured();
+
+            if (!CheckHost(context, allowedHosts))
+            {
+                context.Response.StatusCode = 400;
+                if (_options.IncludeFailureMessage)
+                {
+                    context.Response.ContentLength = DefaultResponse.Length;
+                    context.Response.ContentType = "text/html";
+                    return context.Response.Body.WriteAsync(DefaultResponse, 0, DefaultResponse.Length);
+                }
+                return Task.CompletedTask;
+            }
+
+            return _next(context);
+        }
+
+        private IList<StringSegment> EnsureConfigured()
+        {
+            if (_allowAnyNonEmptyHost == true || _allowedHosts?.Count > 0)
+            {
+                return _allowedHosts;
+            }
+
+            var allowedHosts = new List<StringSegment>();
+            if (_options.AllowedHosts?.Count > 0 && !TryProcessHosts(_options.AllowedHosts, allowedHosts))
+            {
+                _logger.LogDebug("Wildcard detected, all requests with hosts will be allowed.");
+                _allowedHosts = allowedHosts;
+                _allowAnyNonEmptyHost = true;
+                return _allowedHosts;
+            }
+
+            if (allowedHosts.Count == 0)
+            {
+                throw new InvalidOperationException("No allowed hosts were configured.");
+            }
+
+            _logger.LogDebug("Allowed hosts: " + string.Join("; ", allowedHosts));
+            _allowedHosts = allowedHosts;
+            return _allowedHosts;
+        }
+
+        // returns false if any wildcards were found
+        private bool TryProcessHosts(IEnumerable<string> incoming, IList<StringSegment> results)
+        {
+            foreach (var entry in incoming)
+            {
+                // Punycode. Http.Sys requires you to register Unicode hosts, but the headers contain punycode.
+                var host = new HostString(entry).ToUriComponent();
+
+                if (IsTopLevelWildcard(host))
+                {
+                    // Disable filtering
+                    return false;
+                }
+
+                if (!results.Contains(host, StringSegmentComparer.OrdinalIgnoreCase))
+                {
+                    results.Add(host);
+                }
+            }
+
+            return true;
+        }
+
+        private bool IsTopLevelWildcard(string host)
+        {
+            return (string.Equals("*", host, StringComparison.Ordinal) // HttpSys wildcard
+                           || string.Equals("[::]", host, StringComparison.Ordinal) // Kestrel wildcard, IPv6 Any
+                           || string.Equals("0.0.0.0", host, StringComparison.Ordinal)); // IPv4 Any
+        }
+
+        // This does not duplicate format validations that are expected to be performed by the host.
+        private bool CheckHost(HttpContext context, IList<StringSegment> allowedHosts)
+        {
+            var host = new StringSegment(context.Request.Headers[HeaderNames.Host].ToString()).Trim();
+
+            if (StringSegment.IsNullOrEmpty(host))
+            {
+                // Http/1.0 does not require the host header.
+                // Http/1.1 requires the header but the value may be empty.
+                if (!_options.AllowEmptyHosts)
+                {
+                    _logger.LogInformation($"{context.Request.Protocol} request rejected due to missing or empty host header.");
+                    return false;
+                }
+                if (_logger.IsEnabled(LogLevel.Debug))
+                {
+                    _logger.LogDebug($"{context.Request.Protocol} request allowed with missing or empty host header.");
+                }
+                return true;
+            }
+
+            if (_allowAnyNonEmptyHost == true)
+            {
+                _logger.LogTrace($"All hosts are allowed.");
+                return true;
+            }
+
+            if (HostString.MatchesAny(host, allowedHosts))
+            {
+                _logger.LogTrace($"The host '{host}' matches an allowed host.");
+                return true;
+            }
+            
+            _logger.LogInformation($"The host '{host}' does not match an allowed host.");
+            return false;
+        }
+    }
+}