try more changes

Author: DeagleGross

src/Antiforgery/src/Internal/BinaryBlob.cs

@@ -10,7 +10,7 @@ namespace Microsoft.AspNetCore.Antiforgery;
 // Represents a binary blob (token) that contains random data.
 // Useful for binary data inside a serialized stream.
 [DebuggerDisplay("{DebuggerString}")]
-internal sealed class BinaryBlob : IEquatable<BinaryBlob>
+internal sealed class BinaryBlob : IEquatable<BinaryBlob>, IEquatable<ReadOnlySpan<byte>>
 {
     private readonly byte[] _data;
 
@@ -50,6 +50,16 @@ public override bool Equals(object? obj)
         return Equals(obj as BinaryBlob);
     }
 
+    public bool Equals(ReadOnlySpan<byte> other)
+    {
+        if (other.Length != _data.Length)
+        {
+            return false;
+        }
+
+        return AreSpanEqual(_data, other);
+    }
+
     public bool Equals(BinaryBlob? other)
     {
         if (other == null)
@@ -58,7 +68,7 @@ public bool Equals(BinaryBlob? other)
         }
 
         Debug.Assert(_data.Length == other._data.Length);
-        return AreByteArraysEqual(_data, other._data);
+        return AreSpanEqual(_data, other._data);
     }
 
     public byte[] GetData()
@@ -83,16 +93,16 @@ private static byte[] GenerateNewToken(int bitLength)
 
     // Need to mark it with NoInlining and NoOptimization attributes to ensure that the
     // operation runs in constant time.
-    [MethodImplAttribute(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-    private static bool AreByteArraysEqual(byte[] a, byte[] b)
+    [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+    private static bool AreSpanEqual(ReadOnlySpan<byte> a, ReadOnlySpan<byte> b)
     {
-        if (a == null || b == null || a.Length != b.Length)
+        if (a.Length != b.Length)
         {
             return false;
         }
 
         var areEqual = true;
-        for (var i = 0; i < a.Length; i++)
+        for (int i = 0; i < a.Length; i++)
         {
             areEqual &= (a[i] == b[i]);
         }

src/Antiforgery/src/Internal/DefaultAntiforgeryTokenGenerator.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
 using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
 using System.Security.Principal;
@@ -137,15 +138,28 @@ public bool TryValidateTokenSet(
 
         // Is the incoming token meant for the current user?
         var currentUsername = string.Empty;
-        BinaryBlob? currentClaimUid = null;
 
         var authenticatedIdentity = GetAuthenticatedIdentity(httpContext.User);
         if (authenticatedIdentity != null)
         {
-            currentClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(httpContext.User));
-            if (currentClaimUid == null)
+            var claimUidBytes = ArrayPool<byte>.Shared.Rent(1024);
+            try
             {
-                currentUsername = authenticatedIdentity.Name ?? string.Empty;
+                _claimUidExtractor.ExtractClaimUid(httpContext.User, claimUidBytes.AsSpan(), out var bytesWritten);
+                if (bytesWritten is 0)
+                {
+                    currentUsername = authenticatedIdentity.Name ?? string.Empty;
+                }
+
+                if (requestToken.ClaimUid?.Equals(claimUidBytes.AsSpan(0, bytesWritten)) != true)
+                {
+                    message = Resources.AntiforgeryToken_ClaimUidMismatch;
+                    return false;
+                }
+            }
+            finally
+            {
+                ArrayPool<byte>.Shared.Return(claimUidBytes);
             }
         }
 
@@ -164,14 +178,8 @@ public bool TryValidateTokenSet(
             return false;
         }
 
-        if (!object.Equals(requestToken.ClaimUid, currentClaimUid))
-        {
-            message = Resources.AntiforgeryToken_ClaimUidMismatch;
-            return false;
-        }
-
         // Is the AdditionalData valid?
-        if (_additionalDataProvider != null &&
+        if (_additionalDataProvider is not null &&
             !_additionalDataProvider.ValidateAdditionalData(httpContext, requestToken.AdditionalData))
         {
             message = Resources.AntiforgeryToken_AdditionalDataCheckFailed;

src/Antiforgery/src/Internal/DefaultClaimUidExtractor.cs

@@ -2,11 +2,11 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Buffers;
-using System.Buffers.Binary;
 using System.Diagnostics;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNetCore.Shared;
 using Microsoft.Extensions.ObjectPool;
 
 namespace Microsoft.AspNetCore.Antiforgery;
@@ -23,6 +23,22 @@ public DefaultClaimUidExtractor(ObjectPool<AntiforgerySerializationContext> pool
         _pool = pool;
     }
 
+    /// <inheritdoc />
+    public void ExtractClaimUid(ClaimsPrincipal claimsPrincipal, Span<byte> destination, out int bytesWritten)
+    {
+        Debug.Assert(claimsPrincipal != null);
+
+        var uniqueIdentifierParameters = GetUniqueIdentifierParameters(claimsPrincipal.Identities);
+        if (uniqueIdentifierParameters == null)
+        {
+            // No authenticated identities containing claims found.
+            bytesWritten = 0;
+            return;
+        }
+
+        ComputeSha256(uniqueIdentifierParameters, destination, out bytesWritten);
+    }
+
     /// <inheritdoc />
     public string? ExtractClaimUid(ClaimsPrincipal claimsPrincipal)
     {
@@ -37,9 +53,7 @@ public DefaultClaimUidExtractor(ObjectPool<AntiforgerySerializationContext> pool
 
         // todo skip allocations here as well
         var claimUidBytes = ComputeSha256(uniqueIdentifierParameters);
-
-        Convert.TryToBase64Chars(claimUidBytes, out var str, out int charsWritten);
-        return str.ToString;
+        return Convert.ToBase64String(claimUidBytes);
     }
 
     public static IList<string>? GetUniqueIdentifierParameters(IEnumerable<ClaimsIdentity> claimsIdentities)
@@ -125,53 +139,42 @@ public DefaultClaimUidExtractor(ObjectPool<AntiforgerySerializationContext> pool
         return identifierParameters;
     }
 
-    private void ComputeSha256(IEnumerable<string> parameters, Span<byte> output)
+    private static void ComputeSha256(IEnumerable<string> parameters, Span<byte> output, out int bytesWritten)
     {
-        // compute total size
-        int totalSize = 0;
+        int estimatedSize = 0;
         foreach (var param in parameters)
         {
             int byteCount = Encoding.UTF8.GetByteCount(param);
-            totalSize += 4 + byteCount; // 4 bytes for length prefix
+            estimatedSize += 5 + byteCount; // max 5 bytes for 7-bit length + content
         }
 
-        byte[]? rented = null;
-        var buffer = totalSize <= 256
-            ? stackalloc byte[256]
-            : (rented = ArrayPool<byte>.Shared.Rent(totalSize));
-        buffer = buffer[..totalSize];
+        byte[] buffer = ArrayPool<byte>.Shared.Rent(estimatedSize);
 
         try
         {
             int offset = 0;
-
             foreach (var param in parameters)
             {
                 int byteCount = Encoding.UTF8.GetByteCount(param);
 
-                // Write 4-byte length prefix
-                BinaryPrimitives.WriteInt32LittleEndian(buffer.Slice(offset, 4), byteCount);
-                offset += 4;
+                // Write 7-bit encoded length prefix
+                offset += buffer.AsSpan(offset).Write7BitEncodedInt(byteCount);
 
                 // Write UTF-8 bytes
-                Encoding.UTF8.GetBytes(param, buffer.Slice(offset, byteCount));
+                Encoding.UTF8.GetBytes(param, buffer.AsSpan(offset, byteCount));
                 offset += byteCount;
             }
 
-            SHA256.TryHashData(buffer.Slice(0, totalSize), output, out int bytesWritten);
+            SHA256.TryHashData(buffer.AsSpan(0, offset), output, out bytesWritten);
             Debug.Assert(bytesWritten == 32);
         }
         finally
         {
-            buffer.Clear(); // security ?
-            if (rented is not null)
-            {
-                ArrayPool<byte>.Shared.Return(rented);
-            }
+            ArrayPool<byte>.Shared.Return(buffer);
         }
     }
 
-    private byte[] ComputeSha256StreamWriter(IEnumerable<string> parameters)
+    private byte[] ComputeSha256(IEnumerable<string> parameters)
     {
         var serializationContext = _pool.Get();
 

src/Antiforgery/src/Internal/IClaimUidExtractor.cs

@@ -10,6 +10,14 @@ namespace Microsoft.AspNetCore.Antiforgery;
 /// </summary>
 internal interface IClaimUidExtractor
 {
+    /// <summary>
+    /// Extracts claims identifier and writes to <paramref name="destination"/>.
+    /// </summary>
+    /// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/>.</param>
+    /// <param name="destination">destination for claimUid bytes</param>
+    /// <param name="bytesWritten">length of bytes written to <paramref name="destination"/></param>
+    void ExtractClaimUid(ClaimsPrincipal claimsPrincipal, Span<byte> destination, out int bytesWritten);
+
     /// <summary>
     /// Extracts claims identifier.
     /// </summary>

src/Antiforgery/test/DefaultAntiforgeryTokenGeneratorTest.cs

@@ -6,6 +6,7 @@
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.InternalTesting;
+using Microsoft.Extensions.ObjectPool;
 using Moq;
 
 namespace Microsoft.AspNetCore.Antiforgery.Internal;
@@ -401,12 +402,13 @@ public void TryValidateTokenSet_UsernameMismatch(string identityUsername, string
             IsCookieToken = false
         };
 
-        var mockClaimUidExtractor = new Mock<IClaimUidExtractor>();
-        mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is<ClaimsPrincipal>(c => c.Identity == identity)))
-                             .Returns((string)null);
+        var mockClaimUidExtractor = new MockClaimUidExtractor(bytesFunc: (claims, bytes) =>
+        {
+            return 0;
+        });
 
         var tokenProvider = new DefaultAntiforgeryTokenGenerator(
-            claimUidExtractor: mockClaimUidExtractor.Object,
+            claimUidExtractor: mockClaimUidExtractor,
             additionalDataProvider: null);
 
         string expectedMessage =
@@ -439,12 +441,16 @@ public void TryValidateTokenSet_ClaimUidMismatch()
         };
 
         var differentToken = new BinaryBlob(256);
-        var mockClaimUidExtractor = new Mock<IClaimUidExtractor>();
-        mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is<ClaimsPrincipal>(c => c.Identity == identity)))
-                             .Returns(Convert.ToBase64String(differentToken.GetData()));
+
+        var mockClaimUidExtractor = new MockClaimUidExtractor(
+            bytesFunc: (claimsPrincipal, bytes) =>
+            {
+                bytes = differentToken.GetData();
+                return differentToken.BitLength;
+            });
 
         var tokenProvider = new DefaultAntiforgeryTokenGenerator(
-            claimUidExtractor: mockClaimUidExtractor.Object,
+            claimUidExtractor: mockClaimUidExtractor,
             additionalDataProvider: null);
 
         string expectedMessage =
@@ -542,18 +548,27 @@ public void TryValidateTokenSet_Success_AuthenticatedUserWithUsername()
         var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
         var fieldtoken = new AntiforgeryToken()
         {
+            ClaimUid = new BinaryBlob(32),
             SecurityToken = cookieToken.SecurityToken,
             Username = "THE-USER",
             IsCookieToken = false,
             AdditionalData = "some-additional-data"
         };
 
+        var mockClaimUidExtractor = new MockClaimUidExtractor(
+            (claimsPrincipal, bytes) =>
+            {
+                var data = fieldtoken.ClaimUid.GetData();
+                data.CopyTo(bytes);
+                return data.Length;
+            });
+
         var mockAdditionalDataProvider = new Mock<IAntiforgeryAdditionalDataProvider>();
         mockAdditionalDataProvider.Setup(o => o.ValidateAdditionalData(httpContext, "some-additional-data"))
                                   .Returns(true);
 
         var tokenProvider = new DefaultAntiforgeryTokenGenerator(
-            claimUidExtractor: new Mock<IClaimUidExtractor>().Object,
+            claimUidExtractor: mockClaimUidExtractor,
             additionalDataProvider: mockAdditionalDataProvider.Object);
 
         // Act
@@ -616,5 +631,39 @@ public override string Name
             get { return String.Empty; }
         }
     }
+
+    private class MockClaimUidExtractor : IClaimUidExtractor
+    {
+        private readonly Func<ClaimsPrincipal, Span<byte>, int> _bytesFunc;
+        private readonly Func<ClaimsPrincipal, string> _claimsFunc;
+
+        public MockClaimUidExtractor(
+            Func<ClaimsPrincipal, Span<byte>, int> bytesFunc = null,
+            Func<ClaimsPrincipal, string> claimsFunc = null)
+        {
+            _bytesFunc = bytesFunc;
+            _claimsFunc = claimsFunc;
+        }
+
+        public void ExtractClaimUid(ClaimsPrincipal claimsPrincipal, Span<byte> destination, out int bytesWritten)
+        {
+            if (_bytesFunc is null)
+            {
+                throw new NotImplementedException($"Explicitly define {nameof(_bytesFunc)} invocation for testing");
+            }
+
+            bytesWritten = _bytesFunc(claimsPrincipal, destination);
+        }
+
+        public string ExtractClaimUid(ClaimsPrincipal claimsPrincipal)
+        {
+            if (_claimsFunc is null)
+            {
+                throw new NotImplementedException($"Explicitly define {nameof(_claimsFunc)} invocation for testing");
+            }
+
+            return _claimsFunc(claimsPrincipal);
+        }
+    }
 }
 #nullable restore