Validate hosts in collection

Author: Andrew Omondi

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.7.6] - 2024-01-24
+
+### Changed
+
+- Improve AllowedHost validator to throw an error if `https://` or `http://` prefix is present in a allowed host value.(https://github.com/microsoft/kiota-abstractions-dotnet/issues/165)
+
 ## [1.7.5] - 2024-01-11
 
 ### Changed

Microsoft.Kiota.Abstractions.Tests/Authentication/AuthenticationTests.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading;
@@ -112,4 +112,25 @@ public void AllowedHostValidatorAllowsAllUrls(string urlToTest)
         Assert.True(validationResult);
         Assert.Empty(validator.AllowedHosts);
     }
+
+    [Theory]
+    [InlineData("https://graph.microsoft.com")] // https
+    [InlineData("http://graph.microsoft.us")] // http
+    [InlineData("HTTPS://TEST.MICROSOFT.COM")] // https with upperCase
+    [InlineData("http://TEST.MICROSOFT.COM")] // http with upperCase
+    [InlineData("http://developer.microsoft.com,graph.microsoft.com")] // a valid and an invalid together
+    public void AllowedHostValidatorThrowsArgumentExceptionOnNonValidHost(string commaSeparatedHosts)
+    {
+        // Test through the constructor
+        // Arrange
+        var urlStrings = commaSeparatedHosts.Split(new char [] { ',' }, StringSplitOptions.RemoveEmptyEntries);
+
+        // Assert constructor throws
+        var exception = Assert.Throws<ArgumentException>(() => new AllowedHostsValidator(urlStrings));
+        Assert.Equal("host should not contain http or https prefix", exception.Message);
+        // Assert setter throws
+        var validator = new AllowedHostsValidator();
+        Assert.Throws<ArgumentException>(() => validator.AllowedHosts = urlStrings);
+        Assert.Equal("host should not contain http or https prefix", exception.Message);
+    }
 }

src/Microsoft.Kiota.Abstractions.csproj

@@ -14,7 +14,7 @@
     <PackageProjectUrl>https://aka.ms/kiota/docs</PackageProjectUrl>
     <EmbedUntrackedSources>true</EmbedUntrackedSources>
     <Deterministic>true</Deterministic>
-    <VersionPrefix>1.7.5</VersionPrefix>
+    <VersionPrefix>1.7.6</VersionPrefix>
     <VersionSuffix></VersionSuffix>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
     <SignAssembly>false</SignAssembly>

src/authentication/AllowedHostsValidator.cs

@@ -21,7 +21,9 @@ public class AllowedHostsValidator
         /// <param name="validHosts"> Collection of valid Hosts</param>
         public AllowedHostsValidator(IEnumerable<string>? validHosts = null)
         {
-            _allowedHosts = new HashSet<string>(validHosts ?? Array.Empty<string>(), StringComparer.OrdinalIgnoreCase);
+            validHosts ??= Array.Empty<string>();
+            ValidateHosts(validHosts);
+            _allowedHosts = new HashSet<string>(validHosts, StringComparer.OrdinalIgnoreCase);
         }
 
         /// <summary>
@@ -33,6 +35,7 @@ public IEnumerable<string> AllowedHosts
             set
             {
                 if(value is null) throw new ArgumentNullException(nameof(value));
+                ValidateHosts(value);
                 _allowedHosts = new HashSet<string>(value.Where(x => !string.IsNullOrEmpty(x)), StringComparer.OrdinalIgnoreCase);
             }
         }
@@ -49,5 +52,17 @@ public bool IsUrlHostValid(Uri uri)
         {
             return !_allowedHosts.Any() || _allowedHosts.Contains(uri.Host);
         }
+
+        private static void ValidateHosts(IEnumerable<string> hostsToValidate)
+        {
+            if(hostsToValidate is null) 
+                throw new ArgumentNullException(nameof(hostsToValidate));
+
+            if (hostsToValidate.Any(static host => host.StartsWith("http://", StringComparison.OrdinalIgnoreCase) 
+                                                || host.StartsWith("https://", StringComparison.OrdinalIgnoreCase)))
+            {
+                throw new ArgumentException("host should not contain http or https prefix");
+            }
+        }
     }
 }