Merge pull request #253 from MindscapeHQ/Security-improvements

Security improvements

AssemblyVersionInfo.cs

@@ -12,5 +12,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("5.0.1.0")]
-[assembly: AssemblyFileVersion("5.0.1.0")]
+[assembly: AssemblyVersion("5.0.2.0")]
+[assembly: AssemblyFileVersion("5.0.2.0")]

Mindscape.Raygun4Net.Core.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata minClientVersion="2.5">
     <id>Mindscape.Raygun4Net.Core</id>
-    <version>5.0.1</version>
+    <version>5.0.2</version>
     <title />
     <authors>Mindscape</authors>
     <owners />

Mindscape.Raygun4Net.Mvc.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata minClientVersion="2.5">
     <id>Mindscape.Raygun4Net.Mvc</id>
-    <version>5.0.1</version>
+    <version>5.0.2</version>
     <title />
     <authors>Mindscape</authors>
     <owners />
@@ -12,7 +12,7 @@
     <projectUrl>https://github.com/MindscapeHQ/raygun4net</projectUrl>
     <licenseUrl>https://raw.github.com/MindscapeHQ/raygun4net/master/LICENSE</licenseUrl>
     <dependencies>
-      <dependency id="Mindscape.Raygun4Net.Core" version="5.0.1" />
+      <dependency id="Mindscape.Raygun4Net.Core" version="5.0.2" />
     </dependencies>
   </metadata>
   <files>

Mindscape.Raygun4Net.Signed.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata minClientVersion="2.5">
     <id>Mindscape.Raygun4Net.Signed</id>
-    <version>5.0.1</version>
+    <version>5.0.2</version>
     <title />
     <authors>Mindscape</authors>
     <owners />

Mindscape.Raygun4Net.Tests/Mindscape.Raygun4Net.Tests.csproj

@@ -51,6 +51,7 @@
     <Compile Include="Model\FakeHttpApplication.cs" />
     <Compile Include="Model\FakeRaygunClient.cs" />
     <Compile Include="Model\FakeRaygunHttpModule.cs" />
+    <Compile Include="Model\FakeRaygunRequestMessageBuilder.cs" />
     <Compile Include="Model\GenericException.cs" />
     <Compile Include="Model\WrapperException.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />

Mindscape.Raygun4Net.Tests/Model/FakeRaygunRequestMessageBuilder.cs

@@ -0,0 +1,22 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Specialized;
+using System.Linq;
+using System.Text;
+using Mindscape.Raygun4Net.Builders;
+
+namespace Mindscape.Raygun4Net.Tests
+{
+  public class FakeRaygunRequestMessageBuilder : RaygunRequestMessageBuilder
+  {
+    public static Dictionary<string, string> ExposeGetIgnoredFormValues(NameValueCollection form, Func<string, bool> ignore)
+    {
+      return GetIgnoredFormValues(form, ignore);
+    }
+
+    public static string ExposeStripIgnoredFormData(string rawData, Dictionary<string, string> ignored)
+    {
+      return StripIgnoredFormData(rawData, ignored);
+    }
+  }
+}

Mindscape.Raygun4Net.Tests/RaygunRequestMessageTests.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Collections.Specialized;
 using System.Linq;
 using System.Reflection;
 using System.Web;
@@ -379,5 +380,50 @@ private int CookieCount(RaygunRequestMessage message, string name)
       }
       return count;
     }
+
+    // Helper method tests
+
+    [Test]
+    public void GetIgnoredFormValues()
+    {
+      var options = new RaygunRequestMessageOptions(new string[] { "Password" }, Enumerable.Empty<string>(), Enumerable.Empty<string>(), Enumerable.Empty<string>());
+      NameValueCollection form = new NameValueCollection();
+      form.Add("Key", "Value");
+      form.Add("Password", "p");
+
+      Dictionary<string, string> ignored = FakeRaygunRequestMessageBuilder.ExposeGetIgnoredFormValues(form, options.IsFormFieldIgnored);
+
+      Assert.AreEqual(1, ignored.Count);
+      Assert.AreEqual("Password", ignored.Keys.First());
+      Assert.AreEqual("p", ignored["Password"]);
+    }
+
+    [Test]
+    public void GetIgnoredFormValues_MultipleIgnores()
+    {
+      var options = new RaygunRequestMessageOptions(new string[] { "Password", "SensitiveNumber" }, Enumerable.Empty<string>(), Enumerable.Empty<string>(), Enumerable.Empty<string>());
+      NameValueCollection form = new NameValueCollection();
+      form.Add("SensitiveNumber", "7");
+      form.Add("Key", "Value");
+      form.Add("Password", "p");
+
+      Dictionary<string, string> ignored = FakeRaygunRequestMessageBuilder.ExposeGetIgnoredFormValues(form, options.IsFormFieldIgnored);
+
+      Assert.AreEqual(2, ignored.Count);
+      Assert.IsTrue(ignored.Keys.Contains("Password"));
+      Assert.AreEqual("p", ignored["Password"]);
+      Assert.IsTrue(ignored.Keys.Contains("SensitiveNumber"));
+      Assert.AreEqual("7", ignored["SensitiveNumber"]);
+    }
+
+    [Test]
+    public void StripIgnoredFormData()
+    {
+      string rawData = "------WebKitFormBoundarye64VBkpu4PoxFbpl Content-Disposition: form-data; name=\"Password\"\r\n\r\nsecret ------WebKitFormBoundarye64VBkpu4PoxFbpl--";
+      Dictionary<string, string> ignored = new Dictionary<string, string>() { { "Password", "secret" } };
+      rawData = FakeRaygunRequestMessageBuilder.ExposeStripIgnoredFormData(rawData, ignored);
+
+      Assert.AreEqual("------WebKitFormBoundarye64VBkpu4PoxFbpl Content-Disposition: form-data;  ------WebKitFormBoundarye64VBkpu4PoxFbpl--", rawData);
+    }
   }
 }

Mindscape.Raygun4Net.WebApi.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata minClientVersion="2.5">
     <id>Mindscape.Raygun4Net.WebApi</id>
-    <version>5.0.1</version>
+    <version>5.0.2</version>
     <title />
     <authors>Mindscape</authors>
     <owners />
@@ -12,7 +12,7 @@
     <projectUrl>https://github.com/MindscapeHQ/raygun4net</projectUrl>
     <licenseUrl>https://raw.github.com/MindscapeHQ/raygun4net/master/LICENSE</licenseUrl>
     <dependencies>
-      <dependency id="Mindscape.Raygun4Net.Core" version="5.0.1" />
+      <dependency id="Mindscape.Raygun4Net.Core" version="5.0.2" />
     </dependencies>
   </metadata>
   <files>

Mindscape.Raygun4Net.WebApi/Builders/RaygunWebApiRequestMessageBuilder.cs

@@ -2,6 +2,7 @@
 using System;
 using System.Collections;
 using System.Collections.Generic;
+using System.Globalization;
 using System.Linq;
 using System.Net.Http;
 
@@ -25,16 +26,25 @@ public static RaygunRequestMessage Build(HttpRequestMessage request, RaygunReque
       message.Form = ToDictionary(request.GetQueryNameValuePairs(), options.IsFormFieldIgnored);
       message.QueryString = ToDictionary(request.GetQueryNameValuePairs(), s => false);
 
+      SetHeaders(message, request, options.IsHeaderIgnored);
+
       if (!options.IsRawDataIgnored)
       {
-        object body;
-        if (request.Properties.TryGetValue(RaygunWebApiDelegatingHandler.RequestBodyKey, out body))
+        string contentType = null;
+        if (message.Headers != null && message.Headers.Contains("Content-Type"))
         {
-          message.RawData = body.ToString();
+          contentType = (string)message.Headers["Content-Type"];
         }
-      }
 
-      SetHeaders(message, request, options.IsHeaderIgnored);
+        if (contentType == null || CultureInfo.InvariantCulture.CompareInfo.IndexOf(contentType, "application/x-www-form-urlencoded", CompareOptions.IgnoreCase) < 0)
+        {
+          object body;
+          if (request.Properties.TryGetValue(RaygunWebApiDelegatingHandler.RequestBodyKey, out body))
+          {
+            message.RawData = body.ToString();
+          }
+        }
+      }
 
       return message;
     }
@@ -99,7 +109,7 @@ private static void SetHeaders(RaygunRequestMessage message, HttpRequestMessage
       }
       catch (Exception ex)
       {
-        System.Diagnostics.Trace.WriteLine("Error retrieving Headers and RawData {0}", ex.Message);
+        System.Diagnostics.Trace.WriteLine("Error retrieving Headers: {0}", ex.Message);
       }
     }
   }

Mindscape.Raygun4Net.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata minClientVersion="2.5">
     <id>Mindscape.Raygun4Net</id>
-    <version>5.0.1</version>
+    <version>5.0.2</version>
     <title />
     <authors>Mindscape</authors>
     <owners />

Mindscape.Raygun4Net/Builders/RaygunRequestMessageBuilder.cs

@@ -2,6 +2,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Collections.Specialized;
+using System.Globalization;
 using System.IO;
 using System.Linq;
 using System.Text;
@@ -43,12 +44,18 @@ public static RaygunRequestMessage Build(HttpRequest request, RaygunRequestMessa
       {
         try
         {
+          // Don't send the raw request data at all if the content-type is urlencoded
           var contentType = request.Headers["Content-Type"];
-          if (contentType != "text/html" && contentType != "application/x-www-form-urlencoded" && request.RequestType != "GET")
+          if (contentType != "text/html" && (contentType == null || CultureInfo.InvariantCulture.CompareInfo.IndexOf(contentType, "application/x-www-form-urlencoded", CompareOptions.IgnoreCase) < 0) && request.RequestType != "GET")
           {
             int length = 4096;
             request.InputStream.Seek(0, SeekOrigin.Begin);
             string temp = new StreamReader(request.InputStream).ReadToEnd();
+
+            // If we made it this far, strip out any values that have been marked as ignored form fields
+            Dictionary<string, string> ignored = GetIgnoredFormValues(request.Form, options.IsFormFieldIgnored);
+            temp = StripIgnoredFormData(temp, ignored);
+
             if (length > temp.Length)
             {
               length = temp.Length;
@@ -65,6 +72,29 @@ public static RaygunRequestMessage Build(HttpRequest request, RaygunRequestMessa
       return message;
     }
 
+    protected static Dictionary<string, string> GetIgnoredFormValues(NameValueCollection form, Func<string, bool> ignore)
+    {
+      Dictionary<string, string> ignoredFormValues = new Dictionary<string, string>();
+      foreach (string key in form.Keys)
+      {
+        if (ignore(key))
+        {
+          ignoredFormValues.Add(key, form[key]);
+        }
+      }
+      return ignoredFormValues;
+    }
+
+    protected static string StripIgnoredFormData(string rawData, Dictionary<string, string> ignored)
+    {
+      foreach (string key in ignored.Keys)
+      {
+        string toRemove = "name=\"" + key + "\"\r\n\r\n" + ignored[key];
+        rawData = rawData.Replace(toRemove, "");
+      }
+      return rawData;
+    }
+
     private static string GetIpAddress(HttpRequest request)
     {
       string strIp = null;

XamarinComponent/raygun4net/component/component.yaml

@@ -19,5 +19,5 @@ libraries:
   ios: lib/ios/Mindscape.Raygun4Net.Xamarin.iOS.dll
   ios-unified: lib/ios-unified/Mindscape.Raygun4Net.Xamarin.iOS.Unified.dll
   android: lib/android/Mindscape.Raygun4Net.Xamarin.Android.dll
-version: 5.0.1
+version: 5.0.2
 ...