add proper URI validation to duo host (#1984)

2025-06-30 23:52:50 -05:00 · 2022-05-09 12:00:05 -04:00
parent 43be1d3647
commit a5bfc0554b
2 changed files with 20 additions and 1 deletions
--- a/src/Core/Utilities/DuoApi.cs
+++ b/src/Core/Utilities/DuoApi.cs
@ -35,6 +35,21 @@ namespace Bit.Core.Utilities.Duo
            _ikey = ikey;
            _skey = skey;
            _host = host;
+
+            if (!ValidHost(host))
+            {
+                throw new DuoException("Invalid Duo host configured.", new ArgumentException(nameof(host)));
+            }
+        }
+
+        public static bool ValidHost(string host)
+        {
+            if (Uri.TryCreate($"https://{host}", UriKind.Absolute, out var uri))
+            {
+                return uri.Host.StartsWith("api-") &&
+                    (uri.Host.EndsWith(".duosecurity.com") || uri.Host.EndsWith(".duofederal.com"));
+            }
+            return false;
        }

        public static string CanonicalizeParams(Dictionary<string, string> parameters)
@ -246,6 +261,10 @@ namespace Bit.Core.Utilities.Duo
    {
        public int HttpStatus { get; private set; }

+        public DuoException(string message, Exception inner)
+            : base(message, inner)
+        { }
+
        public DuoException(int httpStatus, string message, Exception inner)
            : base(message, inner)
        {