Add .NET 9,.NET 10. Drop .NET 10. Upgrade to latest L3 specification draft. #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
|
|
||
| // 4) Verify that the SafetyNet response actually came from the SafetyNet service by following the steps in the SafetyNet online documentation. | ||
| if (ctsProfileMatch.Value != true) | ||
| if (!ctsProfileMatch.Value) |
…OptionsFactory` and enhance certificate handling logic in tests. Fix all tests.
…ss to simplify NET version-specific conditional logic and improve comments readability.
| } | ||
|
|
||
| var subjectAndIssuerSame = certificate.SubjectName.RawData.SequenceEqual(certificate.IssuerName.RawData); | ||
| var subjectAndIssuerSame = certificate.SubjectName.RawData.AsSpan().SequenceEqual(certificate.IssuerName.RawData); |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| var element = JsonSerializer.Deserialize<JsonElement>(json); | ||
| var intendedJson = JsonSerializer.Serialize(element, _jsonSerializerOptions); | ||
| _logger.LogInformation($"Request {context.Request.Method} {context.Request.GetEncodedPathAndQuery()}{Environment.NewLine}Body:{Environment.NewLine}{intendedJson}"); | ||
| _logger.LogRequestInformation(context.Request.Method, context.Request.GetEncodedPathAndQuery(), intendedJson); |
Check failure
Code scanning / CodeQL
Log entries created from user input High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best way to fix this issue is to sanitize any user-controlled values before logging them. Specifically, the HTTP method (context.Request.Method), path and query (context.Request.GetEncodedPathAndQuery()), and body (intendedJson) should be stripped of any new line or carriage return characters that could lead to log spoofing. For plain text logs, using string.Replace("\r", "") and string.Replace("\n", "") will remove line breaks. The changes should be made in the middleware, prior to logging (i.e., in InvokeAsync). Only these arguments need to be sanitized before being passed to the logger.
Thus, update the arguments on line 41 as follows:
- Sanitize
context.Request.Method - Sanitize
context.Request.GetEncodedPathAndQuery() - Sanitize
intendedJson
No new imports are needed; use string.Replace methods.
Suggested changeset
1
demo/WebAuthn.Net.Demo.FidoConformance/Middleware/RequestLoggingMiddleware.cs
| @@ -38,7 +38,11 @@ | ||
| var json = Encoding.UTF8.GetString(ms.ToArray()); | ||
| var element = JsonSerializer.Deserialize<JsonElement>(json); | ||
| var intendedJson = JsonSerializer.Serialize(element, _jsonSerializerOptions); | ||
| _logger.LogRequestInformation(context.Request.Method, context.Request.GetEncodedPathAndQuery(), intendedJson); | ||
| // Sanitize user-controlled values to prevent log forging | ||
| string sanitizedMethod = context.Request.Method.Replace("\r", "").Replace("\n", ""); | ||
| string sanitizedPathAndQuery = context.Request.GetEncodedPathAndQuery().Replace("\r", "").Replace("\n", ""); | ||
| string sanitizedIntendedJson = intendedJson.Replace("\r", "").Replace("\n", ""); | ||
| _logger.LogRequestInformation(sanitizedMethod, sanitizedPathAndQuery, sanitizedIntendedJson); | ||
| await next(context); | ||
| } | ||
| } |
Copilot is powered by AI and may make mistakes. Always verify output.
…ification links with stable references.
…ticationResponseJSON`.
…WebAuthn Level 3 specification links.
…thn specification link and improve comments readability.
… specification links and improve comments readability
…specification links and improve comments readability
…n specification links and improve comments readability
… specification link and improve comments readability
…specification links and improve comments readability
…uthn specification links and improve comments readability
…thentication response handling while updating WebAuthn links with stable references.
…specification links and improve readability.
…specification links.
…n specification links and improve comments readability.
…able WebAuthn specification links and improve comments readability
…le WebAuthn specification links and improve comments readability
… specification links and refine comments for clarity
… stable WebAuthn specification links and refine comments for clarity
…etAttestationStatementVerifier` documentation to use stable WebAuthn specification links and refine comments for clarity
…to use stable WebAuthn specification links
… use stable WebAuthn specification links
…able WebAuthn specification links
…e WebAuthn specification links
…ble WebAuthn specification links
… WebAuthn specification links
…cation links and remove unused `GetRootRsaKeys` method
…rename existing files for contextual clarity, and add a new certificate.
…to use stable WebAuthn specification links and improve comment clarity
…WebAuthn specification links and refine comment clarity
…roidSafetyNetRoots` documentation to use stable WebAuthn specification links and improve comment clarity
…ion to use stable WebAuthn specification links and improve comment clarity
…Authn specification links
…use stable WebAuthn specification links
… stable WebAuthn specification links
…WebAuthn specification links
…se stable WebAuthn specification links
…foDecoder` documentation to use stable WebAuthn specification links
…ble WebAuthn specification links
…PathValidator` documentation to use stable WebAuthn specification links
…specification links
…otAttestedAuthenticatorData`, `AttestedAuthenticatorData`, and `DefaultChallengeGenerator`
…specification links
…le updating to stable WebAuthn links in client data processing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.