Merge pull request #1051 from microsoft/fix/allowed-hosts-validator

Validate allowed hosts for http and https prefixes

CHANGELOG.md

@@ -4,13 +4,19 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
 ## [Unreleased]
 
 ### Added
 
 ### Changed
 
+## [0.12.2] - 2024-02-01
+
+### Changed
+
 - Removed methods using reflection from `KiotaSerialization`
+- Improve `AllowedHostsValidator` to throw an error if `https://` or `http://` prefix is present in a allowed host value.
 
 ## [0.12.1] - 2024-01-10
 

components/abstractions/spotBugsExcludeFilter.xml

@@ -17,7 +17,10 @@ xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubu
     </Match>
     <Match>
         <Bug pattern="CT_CONSTRUCTOR_THROW" />
-        <Class name="com.microsoft.kiota.authentication.ApiKeyAuthenticationProvider" />
+        <Or>
+            <Class name="com.microsoft.kiota.authentication.ApiKeyAuthenticationProvider" />
+            <Class name="com.microsoft.kiota.authentication.AllowedHostsValidator" />
+        </Or>
     </Match>
     <Match>
         <Bug code="PI" />
@@ -47,4 +50,4 @@ xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubu
 		<Bug pattern="EI_EXPOSE_REP" />
 		<Class name="com.microsoft.kiota.serialization.mocks.TestEntity" />
 	</Match>
-</FindBugsFilter>
+</FindBugsFilter>

components/abstractions/src/main/java/com/microsoft/kiota/authentication/AllowedHostsValidator.java

@@ -39,9 +39,15 @@ public AllowedHostsValidator(@Nonnull final String... allowedHosts) {
     public void setAllowedHosts(@Nonnull final Set<String> allowedHosts) {
         validHosts = new HashSet<String>();
         if (allowedHosts != null) {
-            for (final String host : allowedHosts) {
-                if (host != null && !host.isEmpty())
-                    validHosts.add(host.trim().toLowerCase(Locale.ROOT));
+            for (String host : allowedHosts) {
+                if (host != null && !host.isEmpty()) {
+                    host = host.trim().toLowerCase(Locale.ROOT);
+                    if (host.startsWith("http://") || host.startsWith("https://")) {
+                        throw new IllegalArgumentException(
+                                "host should not contain http or https prefix");
+                    }
+                    validHosts.add(host);
+                }
             }
         }
     }

components/abstractions/src/test/java/com/microsoft/kiota/authentication/AllowedHostValidatorTest.java

@@ -0,0 +1,37 @@
+package com.microsoft.kiota.authentication;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.junit.jupiter.api.Test;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+class AllowedHostValidatorTest {
+
+    @Test
+    void throwsExceptionForHttpOrHttpsHosts() {
+        assertThrows(
+                IllegalArgumentException.class,
+                () ->
+                        new AllowedHostsValidator(
+                                "graph.microsoft.com", "https://graph.microsoft.com"));
+        assertThrows(
+                IllegalArgumentException.class,
+                () ->
+                        new AllowedHostsValidator(
+                                "http://graph.microsoft.com", "graph.microsoft.com"));
+    }
+
+    @Test
+    void initialisesAllowedHostsSuccessfully() throws URISyntaxException {
+        final AllowedHostsValidator validator =
+                new AllowedHostsValidator(
+                        "graph.microsoft.com", "graph.MICROSOFT.US ", "canary.graph.microsoft.com");
+        assertEquals(3, validator.getAllowedHosts().size());
+        assertTrue(validator.getAllowedHosts().contains("graph.microsoft.us"));
+        assertTrue(validator.isUrlHostValid(new URI("https://graph.microsoft.com/v1/me")));
+    }
+}

gradle.properties

@@ -26,7 +26,7 @@ org.gradle.caching=true
 mavenGroupId         = com.microsoft.kiota
 mavenMajorVersion = 0
 mavenMinorVersion = 12
-mavenPatchVersion = 1
+mavenPatchVersion = 2
 mavenArtifactSuffix = 
 
 #These values are used to run functional tests