From e2ff13aa14991029af3c8b5d65a4503220a1b15d Mon Sep 17 00:00:00 2001 From: Thomas Rittson <31796059+eliykat@users.noreply.github.com> Date: Tue, 8 Jun 2021 14:34:36 -0700 Subject: [PATCH] Require valid Send-Id header for access requests (#1381) * Require valid Send-Id header for access requests * Require valid Send-Id header for Send file access * Add ICurrentContext to Send controller test --- src/Api/Controllers/SendsController.cs | 20 ++++++++++++++++++- .../Controllers/SendsControllerTests.cs | 6 +++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/Api/Controllers/SendsController.cs b/src/Api/Controllers/SendsController.cs index 438a3db62b..b77716680a 100644 --- a/src/Api/Controllers/SendsController.cs +++ b/src/Api/Controllers/SendsController.cs @@ -11,6 +11,7 @@ using Bit.Core.Utilities; using Bit.Core.Settings; using Bit.Core.Models.Api.Response; using Bit.Core.Enums; +using Bit.Core.Context; using Microsoft.Azure.EventGrid.Models; using Bit.Api.Utilities; using System.Collections.Generic; @@ -31,6 +32,7 @@ namespace Bit.Api.Controllers private readonly ISendFileStorageService _sendFileStorageService; private readonly ILogger _logger; private readonly GlobalSettings _globalSettings; + private readonly ICurrentContext _currentContext; public SendsController( ISendRepository sendRepository, @@ -38,7 +40,8 @@ namespace Bit.Api.Controllers ISendService sendService, ISendFileStorageService sendFileStorageService, ILogger logger, - GlobalSettings globalSettings) + GlobalSettings globalSettings, + ICurrentContext currentContext) { _sendRepository = sendRepository; _userService = userService; @@ -46,12 +49,20 @@ namespace Bit.Api.Controllers _sendFileStorageService = sendFileStorageService; _logger = logger; _globalSettings = globalSettings; + _currentContext = currentContext; } [AllowAnonymous] [HttpPost("access/{id}")] public async Task Access(string id, [FromBody] SendAccessRequestModel model) { + // Uncomment whenever we want to require the `send-id` header + //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") || + // _currentContext.HttpContext.Request.Headers["Send-Id"] != id) + //{ + // throw new BadRequestException("Invalid Send-Id header."); + //} + var guid = new Guid(CoreHelpers.Base64UrlDecode(id)); var (send, passwordRequired, passwordInvalid) = await _sendService.AccessAsync(guid, model.Password); @@ -83,6 +94,13 @@ namespace Bit.Api.Controllers public async Task GetSendFileDownloadData(string encodedSendId, string fileId, [FromBody] SendAccessRequestModel model) { + // Uncomment whenever we want to require the `send-id` header + //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") || + // _currentContext.HttpContext.Request.Headers["Send-Id"] != encodedSendId) + //{ + // throw new BadRequestException("Invalid Send-Id header."); + //} + var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId)); var send = await _sendRepository.GetByIdAsync(sendId); diff --git a/test/Api.Test/Controllers/SendsControllerTests.cs b/test/Api.Test/Controllers/SendsControllerTests.cs index 33786b88dc..a1595ec91c 100644 --- a/test/Api.Test/Controllers/SendsControllerTests.cs +++ b/test/Api.Test/Controllers/SendsControllerTests.cs @@ -1,5 +1,6 @@ using AutoFixture.Xunit2; using Bit.Api.Controllers; +using Bit.Core.Context; using Bit.Core.Enums; using Bit.Core.Models.Api; using Bit.Core.Models.Table; @@ -28,6 +29,7 @@ namespace Bit.Api.Test.Controllers private readonly ISendService _sendService; private readonly ISendFileStorageService _sendFileStorageService; private readonly ILogger _logger; + private readonly ICurrentContext _currentContext; public SendsControllerTests() { @@ -37,6 +39,7 @@ namespace Bit.Api.Test.Controllers _sendFileStorageService = Substitute.For(); _globalSettings = new GlobalSettings(); _logger = Substitute.For>(); + _currentContext = Substitute.For(); _sut = new SendsController( _sendRepository, @@ -44,7 +47,8 @@ namespace Bit.Api.Test.Controllers _sendService, _sendFileStorageService, _logger, - _globalSettings + _globalSettings, + _currentContext ); }