Skip to content

Add Uri Security Considerations section #4232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 14, 2020
Merged

Add Uri Security Considerations section #4232

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1594e6b
Add Uri Security Considerations section
MihaZupan May 13, 2020
6d43d38
Address PR feedback
MihaZupan May 14, 2020
07f6663
Apply suggested change
MihaZupan May 14, 2020
0a59e02
Apply suggested change
MihaZupan May 14, 2020
ea0381e
Apply suggested change
MihaZupan May 14, 2020
22d457a
Apply suggested change
MihaZupan May 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 30 additions & 3 deletions xml/System/Uri.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,36 @@ Uri uri1 = new Uri("C:/test/path/file.txt") // Implicit file path.
Uri uri2 = new Uri("file:///C:/test/path/file.txt") // Explicit file path.
```
These implicit file paths are not compliant with the URI specification and so should be avoided when possible. When using .NET Core on Unix-based systems, implicit file paths can be especially problematic, because an absolute implicit file path is *indistinguishable* from a relative path. When such ambiguity is present, <xref:System.Uri> default to interpreting the path as an absolute URI.

## Security Considerations

Because of security concerns, your application should use caution when accepting <xref:System.Uri> instances from untrusted sources and with `dontEscape` set to `true`. You can check a URI string for validity by calling the <xref:System.Uri.IsWellFormedOriginalString%2A> method.

When dealing with untrusted user input, confirm assumptions about the newly created `Uri` instance before trusting its properties.
This can be done in the following way:

```csharp
string userInput = ...;

Uri baseUri = new Uri("https://myWebsite/files/");

if (!Uri.TryCreate(baseUri, userInput, out Uri newUri))
{
// Fail: invalid input.
}

if (!baseUri.IsBaseOf(newUri))
{
// Fail: the Uri base has been modified - the created Uri is not rooted in the original directory.
}
```

This validation can be used in other cases, like when dealing with UNC paths, by simply changing the `baseUri`:

```csharp
Uri baseUri = new Uri(@"\\host\share\some\directory\name\");
```


## Performance Considerations
If you use a *Web.config *file that contains URIs to initialize your application, additional time is required to process the URIs if their scheme identifiers are nonstandard. In such a case, initialize the affected parts of your application when the URIs are needed, not at start time.
Expand All @@ -203,9 +233,6 @@ Uri uri2 = new Uri("file:///C:/test/path/file.txt") // Explicit file path.

]]></format>
</remarks>
<block subset="none" type="usage">
<para>Because of security concerns, your application should use caution when accepting <see cref="T:System.Uri" /> instances from untrusted sources and with <paramref name="dontEscape" /> set to <see langword="true" />.You can check a URI string for validity by calling the <see cref="M:System.Uri.IsWellFormedOriginalString" /> method.</para>
</block>
<altmember cref="T:System.Configuration.IdnElement" />
<altmember cref="T:System.Configuration.IriParsingElement" />
<altmember cref="T:System.Configuration.UriSection" />
Expand Down