Basic Authentication user ID was not properly parsed when the password contained the special separator character ':'.

Author: claudiamurialdo

dotnet/src/dotnetcore/GxClasses/Helpers/BasicAuthentication.cs

@@ -1,11 +1,11 @@
-using System;
-using System.Collections.Generic;
+using System;
 using System.Text;
 
 namespace GxClasses.Helpers
 {
 	public class BasicAuthenticationHeaderValue
 	{
+		const char UserNamePasswordSeparator= ':';
 		public BasicAuthenticationHeaderValue(string authenticationHeaderValue)
 		{
 			if (!string.IsNullOrWhiteSpace(authenticationHeaderValue))
@@ -19,7 +19,7 @@ public BasicAuthenticationHeaderValue(string authenticationHeaderValue)
 		}
 
 		private readonly string _authenticationHeaderValue;
-		private string[] _splitDecodedCredentials;
+		private string _usernamePassword;
 
 		public bool IsValidBasicAuthenticationHeaderValue { get; private set; }
 		public string UserIdentifier { get; private set; }
@@ -32,11 +32,11 @@ private bool TryDecodeHeaderValue()
 			{
 				return false;
 			}
-			var encodedCredentials = _authenticationHeaderValue.Substring(headerSchemeLength);
+			string encodedCredentials = _authenticationHeaderValue.Substring(headerSchemeLength);
 			try
 			{
-				var decodedCredentials = Convert.FromBase64String(encodedCredentials);
-				_splitDecodedCredentials = System.Text.Encoding.ASCII.GetString(decodedCredentials).Split(':');
+				byte[] decodedCredentials = Convert.FromBase64String(encodedCredentials);
+				_usernamePassword = Encoding.ASCII.GetString(decodedCredentials);
 				return true;
 			}
 			catch (FormatException)
@@ -47,13 +47,19 @@ private bool TryDecodeHeaderValue()
 
 		private void ReadAuthenticationHeaderValue()
 		{
-			IsValidBasicAuthenticationHeaderValue = _splitDecodedCredentials!= null && _splitDecodedCredentials.Length == 2
-												   && !string.IsNullOrWhiteSpace(_splitDecodedCredentials[0])
-												   && !string.IsNullOrWhiteSpace(_splitDecodedCredentials[1]);
+			IsValidBasicAuthenticationHeaderValue = !string.IsNullOrEmpty(_usernamePassword) && _usernamePassword.Contains(UserNamePasswordSeparator);
 			if (IsValidBasicAuthenticationHeaderValue)
 			{
-				UserIdentifier = _splitDecodedCredentials[0];
-				UserPassword = _splitDecodedCredentials[1];
+				int separatorIndex = _usernamePassword.IndexOf(UserNamePasswordSeparator);
+				UserIdentifier = _usernamePassword.Substring(0, separatorIndex);
+				if (separatorIndex + 1 < _usernamePassword.Length)
+				{
+					UserPassword = _usernamePassword.Substring(separatorIndex + 1);
+				}
+				else
+				{
+					UserPassword = string.Empty;
+				}
 			}
 		}
 	}

dotnet/test/DotNetCoreWebUnitTest/Middleware/HeadersTest.cs

@@ -3,6 +3,7 @@
 using System.Reflection;
 using System.Threading.Tasks;
 using GeneXus.Metadata;
+using GeneXus.Utils;
 using Xunit;
 namespace xUnitTesting
 {
@@ -25,14 +26,18 @@ public async Task TestForwardedHeaders()
 			const string host = "192.168.1.100";
 			const string scheme = "https";
 			const string remoteUrl = $"{scheme}:\\/\\/{host}";
+			const string passwordWithSpecialCharacters = "mypasswordwithspecialcharacters:!*";
+			const string userId = "myuser";
 			HttpClient client = server.CreateClient();
 			client.DefaultRequestHeaders.Add("X-Forwarded-For", host);
 			client.DefaultRequestHeaders.Add("X-Forwarded-Proto", scheme);
+			client.DefaultRequestHeaders.Add("Authorization", $"Basic {StringUtil.ToBase64(userId+ ":" + passwordWithSpecialCharacters)}");
 
 			HttpResponseMessage response = await client.GetAsync("/rest/apps/httpheaders");
 			response.EnsureSuccessStatusCode();
 			string resp = await response.Content.ReadAsStringAsync();
-			Assert.Contains(remoteUrl, resp, System.StringComparison.OrdinalIgnoreCase);
+			Assert.Contains(remoteUrl, resp, StringComparison.OrdinalIgnoreCase);
+			Assert.Contains(userId, resp, StringComparison.OrdinalIgnoreCase);
 			Assert.Equal(System.Net.HttpStatusCode.OK, response.StatusCode);
 		}
 

dotnet/test/DotNetCoreWebUnitTest/apps/httpheaders.cs

@@ -1,6 +1,9 @@
+using System;
 using GeneXus.Application;
 using GeneXus.Data.NTier;
+using GeneXus.Data.NTier.ADO;
 using GeneXus.Procedure;
+using GeneXus.Utils;
 
 namespace GeneXus.Programs.apps
 {
@@ -30,7 +33,7 @@ public void execute(out string result)
 		void executePrivate(out string result)
 		{
 			result = (context.GetHttpSecure() == 1 ? "https://" : "http://") + context.GetRemoteAddress();
-
+			result += StringUtil.NewLine() + GXUtil.UserId(string.Empty, context, pr_default);
 			cleanup();
 		}
 
@@ -51,7 +54,37 @@ protected void CloseOpenCursors()
 
 		public override void initialize()
 		{
+			pr_default = new DataStoreProvider(context, new httpheaders__default(),
+			new Object[][] {
+			}
+		 );
 		}
+		private IDataStoreProvider pr_default;
 	}
+	public class httpheaders__default : DataStoreHelperBase, IDataStoreHelper
+	{
+		public ICursor[] getCursors()
+		{
+			cursorDefinitions();
+			return new Cursor[] {
+	   };
+		}
+
+		private static CursorDef[] def;
+		private void cursorDefinitions()
+		{
+			if (def == null)
+			{
+				def = new CursorDef[] {
+		  };
+			}
+		}
 
+		public void getResults(int cursor,
+								IFieldGetter rslt,
+								Object[] buf)
+		{
+		}
+
+	}
 }