Merge pull request #1136 from microsoft/feature/disallow-allowed-hosts-urls-that-includes-protocol

throw an error if allowed hosts url starts with http/https protocol

Author: koros

packages/abstractions/src/authentication/allowedHostsValidator.ts

@@ -6,6 +6,7 @@ export class AllowedHostsValidator {
    * @param allowedHosts A list of valid hosts.  If the list is empty, all hosts are valid.
    */
   public constructor(allowedHosts: Set<string> = new Set<string>()) {
+    this.validateHosts(allowedHosts);
     this.allowedHosts = allowedHosts ?? new Set<string>();
   }
   /**
@@ -20,6 +21,7 @@ export class AllowedHostsValidator {
    * @param allowedHosts A list of valid hosts.  If the list is empty, all hosts are valid.
    */
   public setAllowedHosts(allowedHosts: Set<string>): void {
+    this.validateHosts(allowedHosts);
     this.allowedHosts = allowedHosts;
   }
   /**
@@ -59,4 +61,15 @@ export class AllowedHostsValidator {
     }
     return false;
   }
+
+  private validateHosts(hostsToValidate: Set<string>) {
+    if(!hostsToValidate) {
+      throw new Error("hostsToValidate cannot be null");
+    }
+    hostsToValidate.forEach(host => {
+      if(host.toLowerCase().startsWith("http://") || host.toLowerCase().startsWith("https://")) {
+        throw new Error("host should not contain http or https prefix");
+      }
+    });
+  }
 }

packages/abstractions/src/authentication/validateProtocol.ts

@@ -10,7 +10,7 @@ function windowUrlStartsWithHttps(): boolean {
     return typeof window !== "undefined" && typeof window.location !== "undefined" && (window.location.protocol as string).toLowerCase() !== "https:";
 }
 
-export function isLocalhostUrl(urlString: string) {
+export function isLocalhostUrl(urlString: string): boolean {
     try {
         const url = new URL(urlString);
         return localhostStrings.has(url.hostname);

packages/abstractions/test/common/authentication/allowedHostsValidator.ts

@@ -0,0 +1,40 @@
+import { expect } from "chai";
+import { AllowedHostsValidator } from "../../../src/authentication";
+
+describe('AllowedHostsValidator', () => {
+  let validator: AllowedHostsValidator;
+
+  beforeEach(() => {
+    validator = new AllowedHostsValidator(new Set(['example.com', 'test.com']));
+  });
+
+  it('constructor should validate hosts', () => {
+    expect(() => new AllowedHostsValidator(new Set(['http://invalid.com']))).to.throw('host should not contain http or https prefix');
+  });
+
+  it('getAllowedHosts should return correct hosts', () => {
+    expect(JSON.stringify(validator.getAllowedHosts())).to.equal(JSON.stringify(['example.com', 'test.com']));
+  });
+
+  it('setAllowedHosts should update allowed hosts', () => {
+    validator.setAllowedHosts(new Set(['newhost.com']));
+    expect(JSON.stringify(validator.getAllowedHosts())).to.equal(JSON.stringify(['newhost.com']));
+  });
+
+  it('setAllowedHosts should validate new hosts', () => {
+    expect(() => validator.setAllowedHosts(new Set(['https://invalid.com']))).to.throw('host should not contain http or https prefix');
+  });
+
+  it('isUrlHostValid should return true for valid hosts', () => {
+    expect(validator.isUrlHostValid('http://example.com/path')).to.be.true;
+    expect(validator.isUrlHostValid('http://test.com/path')).to.be.true;
+  });
+
+  it('isUrlHostValid should return false for invalid hosts', () => {
+    expect(validator.isUrlHostValid('http://invalid.com/path')).to.be.false;
+  });
+
+  it('isUrlHostValid should return false for invalid URLs', () => {
+    expect(validator.isUrlHostValid('invalid')).to.be.false;
+  });
+});