From 0901e196c173b216a20d87f05fba8d905bd1e1a7 Mon Sep 17 00:00:00 2001
From: Warren Parad <gpg@warrenparad.net>
Date: Mon, 22 Jan 2024 20:14:10 +0100
Subject: [PATCH] Sanitize incoming urls everywhere.

---
 .../Client/AuthressClientTokenProvider.cs            |  5 +++--
 src/Authress.SDK/Client/HttpClientProvider.cs        | 12 ++++++++++--
 src/Authress.SDK/Client/TokenVerifier.cs             |  2 +-
 src/Authress.SDK/Utilities/Sanitizers.cs             |  2 +-
 .../Client/Tokenverifier/VerifyTokenTests.cs         |  3 ++-
 5 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/Authress.SDK/Client/AuthressClientTokenProvider.cs b/src/Authress.SDK/Client/AuthressClientTokenProvider.cs
index 1b00365..be0f091 100644
--- a/src/Authress.SDK/Client/AuthressClientTokenProvider.cs
+++ b/src/Authress.SDK/Client/AuthressClientTokenProvider.cs
@@ -7,6 +7,7 @@
 using System.Text;
 using System.Threading.Tasks;
 using System.Web;
+using Authress.SDK.Utilities;
 using Microsoft.IdentityModel.Tokens;
 using Newtonsoft.Json;
 using NSec.Cryptography;
@@ -68,8 +69,8 @@ public AuthressClientTokenProvider(string accessKeyBase64, string authressCustom
 
         private string GetIssuer(string authressCustomDomainFallback = null)
         {
-            var rawDomain = (this.authressCustomDomain ?? authressCustomDomainFallback ?? resolvedAuthressCustomDomain).Replace("https://", "");
-            return $"https://{rawDomain}/v1/clients/{System.Web.HttpUtility.UrlEncode(this.accessKey.ClientId)}";
+            var rawDomain = Sanitizers.SanitizeUrl(this.authressCustomDomain ?? authressCustomDomainFallback ?? resolvedAuthressCustomDomain);
+            return $"{rawDomain}/v1/clients/{System.Web.HttpUtility.UrlEncode(this.accessKey.ClientId)}";
         }
 
         private static SigningCredentials GetSigningCredentials(string pem, string keyId)
diff --git a/src/Authress.SDK/Client/HttpClientProvider.cs b/src/Authress.SDK/Client/HttpClientProvider.cs
index 0ea9b66..84be505 100644
--- a/src/Authress.SDK/Client/HttpClientProvider.cs
+++ b/src/Authress.SDK/Client/HttpClientProvider.cs
@@ -2,6 +2,7 @@
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using Authress.SDK.Utilities;
 
 namespace Authress.SDK.Client
 {
@@ -37,10 +38,16 @@ public class HttpClientSettings
     /// </summary>
     public class AuthressSettings
     {
+        private string apiBasePath = "https://api.authress.io";
         /// <summary>
         /// Authress Domain Host: https://authress.company.com (Get an authress custom domain: https://authress.io/app/#/settings?focus=domain)
         /// </summary>
-        public string ApiBasePath { get; set; } = "https://api.authress.io";
+        public string ApiBasePath {
+            get { return apiBasePath; }
+            set {
+                apiBasePath = Sanitizers.SanitizeUrl(value);
+            }
+        }
 
         /// <summary>
         /// Timeout for requests to Authress. Default is unset.
@@ -169,8 +176,9 @@ internal class RewriteBaseUrlHandler : DelegatingHandler
     {
         private readonly Uri baseUrl;
 
-        public RewriteBaseUrlHandler(HttpMessageHandler innerHandler, string baseUrl) : base(innerHandler)
+        public RewriteBaseUrlHandler(HttpMessageHandler innerHandler, string originalBaseUrl) : base(innerHandler)
         {
+            var baseUrl = Sanitizers.SanitizeUrl(originalBaseUrl);
             this.baseUrl = new Uri(baseUrl.EndsWith("/") ? baseUrl : baseUrl + "/");
         }
 
diff --git a/src/Authress.SDK/Client/TokenVerifier.cs b/src/Authress.SDK/Client/TokenVerifier.cs
index 66af9ad..71dffbf 100644
--- a/src/Authress.SDK/Client/TokenVerifier.cs
+++ b/src/Authress.SDK/Client/TokenVerifier.cs
@@ -196,7 +196,7 @@ private VerifiedUserIdentity VerifySignature(string jwtToken, Jwk key) {
                     case 3: jwtTokenSignature += "="; break;
                 }
 
-                var edDsaPublicKey = NSec.Cryptography.PublicKey.Import(ed25519alg, Convert.FromBase64String(keyAsString), KeyBlobFormat.PkixPublicKey);
+                var edDsaPublicKey = NSec.Cryptography.PublicKey.Import(ed25519alg, Convert.FromBase64String("MCowBQYDK2VwAyEA" + keyAsString), KeyBlobFormat.PkixPublicKey);
                 var signatureData = Convert.FromBase64String(jwtTokenSignature);
                 if (!SignatureAlgorithm.Ed25519.Verify(edDsaPublicKey, data, signatureData)) {
                     throw new TokenVerificationException($"Unauthorized: Token Signature is not valid.");
diff --git a/src/Authress.SDK/Utilities/Sanitizers.cs b/src/Authress.SDK/Utilities/Sanitizers.cs
index 9e6404e..b2de374 100644
--- a/src/Authress.SDK/Utilities/Sanitizers.cs
+++ b/src/Authress.SDK/Utilities/Sanitizers.cs
@@ -13,7 +13,7 @@ internal static string SanitizeUrl(string urlString) {
             }
 
             if (Regex.IsMatch(urlString, @"^localhost", RegexOptions.IgnoreCase)) {
-                return "http://{url}";
+                return $"http://{urlString}";
             }
 
             return $"https://{urlString}";
diff --git a/tests/Authress.SDK/Client/Tokenverifier/VerifyTokenTests.cs b/tests/Authress.SDK/Client/Tokenverifier/VerifyTokenTests.cs
index 7884dec..8c05105 100644
--- a/tests/Authress.SDK/Client/Tokenverifier/VerifyTokenTests.cs
+++ b/tests/Authress.SDK/Client/Tokenverifier/VerifyTokenTests.cs
@@ -29,7 +29,8 @@ public class VerifyTokenTests
     {
 
         private static string authressCustomDomain = "https://unit-test-customdomain.authress.io";
-        private static (string, string) eddsaKeys = ("MC4CAQAwBQYDK2VwBCIEIHWOlqpfN1YdPSAvAZlSxOyZs0v0jnOj3flvG4ezJ8/R", "MCowBQYDK2VwAyEAP1ghjuexanmp5hYgSYRvbFJirquynaCyolH3vHb9JCE=");
+        // Prefix MCowBQYDK2VwAyEA is inferred by the configuration of the JWK
+        private static (string, string) eddsaKeys = ("MC4CAQAwBQYDK2VwBCIEIHWOlqpfN1YdPSAvAZlSxOyZs0v0jnOj3flvG4ezJ8/R", "P1ghjuexanmp5hYgSYRvbFJirquynaCyolH3vHb9JCE=");
 
         [Fact]
         public async Task ValidateEddsaToken() {