fix: harden www redirect against open redirect

BenjaminMichaelis · BenjaminMichaelis · commit d053d3e312a6 · 2026-05-15T19:38:26.000-07:00
diff --git a/EssentialCSharp.Web/Program.cs b/EssentialCSharp.Web/Program.cs
@@ -430,6 +430,17 @@ await context.HttpContext.Response.WriteAsync(
         // Configure the HTTP request pipeline.
         if (!app.Environment.IsDevelopment())
         {
+            SiteSettings siteSettings = app.Services.GetRequiredService<IOptions<SiteSettings>>().Value;
+            if (!Uri.TryCreate(siteSettings.BaseUrl, UriKind.Absolute, out Uri? configuredBaseUri))
+            {
+                throw new InvalidOperationException($"Invalid {SiteSettings.SectionName}:{nameof(SiteSettings.BaseUrl)} value: '{siteSettings.BaseUrl}'.");
+            }
+            string apexHost = configuredBaseUri.Host.StartsWith("www.", StringComparison.OrdinalIgnoreCase)
+                ? configuredBaseUri.Host[4..]
+                : configuredBaseUri.Host;
+            string wwwHost = $"www.{apexHost}";
+            string redirectAuthority = new UriBuilder(configuredBaseUri) { Host = apexHost }.Uri.GetLeftPart(UriPartial.Authority);
+
             app.UseExceptionHandler(exceptionApp =>
             {
                 exceptionApp.Run(async context =>
@@ -494,14 +505,13 @@ await McpJsonRpcResponseWriter.WriteErrorAsync(
                 .AddDefaultSecurePolicy()
                 .AddContentSecurityPolicy(csp));
 
-            // Redirect www.essentialcsharp.com → essentialcsharp.com (permanent 301)
+            // Redirect configured www host to configured apex host (permanent 301).
             // Must be after UseForwardedHeaders so the Host header reflects the real hostname.
             app.Use(async (context, next) =>
             {
-                if (context.Request.Host.Host.StartsWith("www.", StringComparison.OrdinalIgnoreCase))
+                if (string.Equals(context.Request.Host.Host, wwwHost, StringComparison.OrdinalIgnoreCase))
                 {
-                    string apexHost = context.Request.Host.Host[4..];
-                    string redirectUrl = $"{context.Request.Scheme}://{apexHost}{context.Request.PathBase}{context.Request.Path}{context.Request.QueryString}";
+                    string redirectUrl = $"{redirectAuthority}{context.Request.PathBase}{context.Request.Path}{context.Request.QueryString}";
                     context.Response.Redirect(redirectUrl, permanent: true);
                     return;
                 }
