|
2 | 2 | // Licensed under the MIT License. |
3 | 3 |
|
4 | 4 | #nullable enable |
| 5 | +using System; |
5 | 6 | using System.Collections.Generic; |
6 | 7 | using System.Linq; |
7 | 8 | using System.Net; |
| 9 | +using System.Net.Http; |
8 | 10 | using System.Security.Claims; |
9 | 11 | using System.Threading.Tasks; |
10 | 12 | using Azure.DataApiBuilder.Config.ObjectModel; |
@@ -344,6 +346,50 @@ await SendRequestAndGetHttpContextState( |
344 | 346 | ignoreCase: true); |
345 | 347 | } |
346 | 348 |
|
| 349 | + /// <summary> |
| 350 | + /// Tests we ensure that an invalid query in the EasyAuth header does not result in a successful request. |
| 351 | + /// </summary> |
| 352 | + [TestMethod] |
| 353 | + public async Task TestInvalidQueryInHeader() |
| 354 | + { |
| 355 | + string header = @" |
| 356 | + { |
| 357 | + ""auth_typ"":""aad"", |
| 358 | + ""claims"":[ |
| 359 | + { |
| 360 | + ""typ"":""x', N'v'; |
| 361 | + SET IDENTITY_INSERT authors ON; |
| 362 | + INSERT INTO authors (id, name, birthdate) VALUES (10001, 'Hidden Author', '2001-01-01'); |
| 363 | + SET IDENTITY_INSERT authors OFF; |
| 364 | + SELECT 1 AS inserted FOR JSON PATH, WITHOUT_ARRAY_WRAPPER; |
| 365 | + --"", |
| 366 | + ""val"":""x"" |
| 367 | + } |
| 368 | + ] |
| 369 | + }"; |
| 370 | + |
| 371 | + string generatedToken = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(header)); |
| 372 | + HttpContext postMiddlewareContext = |
| 373 | + await SendRequestAndGetHttpContextState( |
| 374 | + generatedToken, |
| 375 | + EasyAuthType.StaticWebApps, |
| 376 | + clientRoleHeader: "authenticated"); |
| 377 | + Assert.AreEqual(expected: (int)HttpStatusCode.OK, actual: postMiddlewareContext.Response.StatusCode); |
| 378 | + |
| 379 | + using IHost host = await WebHostBuilderHelper.CreateWebHost(EasyAuthType.StaticWebApps.ToString(), false); |
| 380 | + TestServer server = host.GetTestServer(); |
| 381 | + HttpClient client = server.CreateClient(); |
| 382 | + |
| 383 | + HttpRequestMessage request = new(HttpMethod.Get, $"api/Author/id/10001"); |
| 384 | + HttpResponseMessage response = await client.SendAsync(request); |
| 385 | + string responseBody = await response.Content.ReadAsStringAsync(); |
| 386 | + |
| 387 | + Assert.IsFalse(responseBody.Contains($"\"id\":10001"), |
| 388 | + "The GET request should not return the invalid row."); |
| 389 | + Assert.IsFalse(responseBody.Contains("Hidden Author"), |
| 390 | + "The GET request should not return any information related to the invalid row."); |
| 391 | + } |
| 392 | + |
347 | 393 | /// <summary> |
348 | 394 | /// - Ensures an invalid EasyAuth header payload results in HTTP 401 Unauthorized response |
349 | 395 | /// A correctly configured EasyAuth environment guarantees an EasyAuth payload for authenticated requests. |
|
0 commit comments