feat(Sanitization middleware): add sanetization middleware (#20)

* add sanetization middleware * complete sanetizing middleware
Star-Academy · Aug 19, 2024 · eefa3c9 · eefa3c9
1 parent 51fc234
commit eefa3c9
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 1 deletion.
diff --git a/RelationshipAnalysis/Middlewares/SanitizationMiddleware.cs b/RelationshipAnalysis/Middlewares/SanitizationMiddleware.cs
@@ -0,0 +1,82 @@
+using System.Text;
+using Ganss.Xss;
+using Microsoft.AspNetCore.Mvc.Controllers;
+using Newtonsoft.Json;
+
+namespace RelationshipAnalysis.Middlewares;
+public class SanitizationMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly HtmlSanitizer _sanitizer;
+
+    public SanitizationMiddleware(RequestDelegate next)
+    {
+        _next = next;
+        _sanitizer = new HtmlSanitizer();
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (context.Request.ContentType != null && context.Request.ContentType.Contains("application/json"))
+        {
+            context.Request.EnableBuffering(); 
+            var body = await new StreamReader(context.Request.Body).ReadToEndAsync();
+            context.Request.Body.Position = 0; 
+
+            var type = GetRequestDtoType(context);
+            if (type != null)
+            {
+                object sanitizedDto;
+                if (type == typeof(List<string>))
+                {
+                    var dto = JsonConvert.DeserializeObject<IEnumerable<string>>(body);
+                    sanitizedDto = SanitizeEnumerable(dto);
+                }
+                else
+                {
+                    var dto = JsonConvert.DeserializeObject(body, type);
+                    sanitizedDto = SanitizeDto(dto);
+                }
+
+                var sanitizedBody = JsonConvert.SerializeObject(sanitizedDto);
+                var buffer = Encoding.UTF8.GetBytes(sanitizedBody);
+                context.Request.Body = new MemoryStream(buffer);
+            }
+        }
+
+        await _next(context);
+    }
+
+    private Type GetRequestDtoType(HttpContext context)
+    {
+        var endpoint = context.GetEndpoint();
+        var actionDescriptor = endpoint?.Metadata.GetMetadata<ControllerActionDescriptor>();
+        if (actionDescriptor != null)
+        {
+            var parameters = actionDescriptor.Parameters;
+            var dtoParameter = parameters.FirstOrDefault(p => p.ParameterType.IsClass && p.ParameterType != typeof(string));
+            return dtoParameter?.ParameterType;
+        }
+        return null;
+    }
+
+    private IEnumerable<string> SanitizeEnumerable(IEnumerable<string> dto)
+    {
+        return dto.Select(str => _sanitizer.Sanitize(str));
+    }
+    private object SanitizeDto(object dto)
+    {
+        var properties = dto.GetType().GetProperties().Where(p => p.PropertyType == typeof(string) && p.CanWrite && p.CanRead);
+
+        foreach (var property in properties)
+        {
+            var value = (string)property.GetValue(dto);
+            if (value != null)
+            {
+                property.SetValue(dto, _sanitizer.Sanitize(value));
+            }
+        }
+
+        return dto;
+    }
+}
diff --git a/RelationshipAnalysis/Program.cs b/RelationshipAnalysis/Program.cs
@@ -4,6 +4,7 @@
 using DotNetEnv;
 using Microsoft.EntityFrameworkCore;
 using RelationshipAnalysis.Context;
+using RelationshipAnalysis.Middlewares;
 using RelationshipAnalysis.Services;
 using RelationshipAnalysis.Services.AccessServices;
 using RelationshipAnalysis.Services.AccessServices.Abstraction;
@@ -91,7 +92,7 @@
 app.MapControllers();
 app.UseCors(x => x.AllowCredentials().AllowAnyHeader().AllowAnyMethod()
     .SetIsOriginAllowed(x => true));
-
+app.UseMiddleware<SanitizationMiddleware>();
 app.Run();
 
 public partial class Program

diff --git a/RelationshipAnalysis/RelationshipAnalysis.csproj b/RelationshipAnalysis/RelationshipAnalysis.csproj
@@ -9,6 +9,7 @@
     <ItemGroup>
         <PackageReference Include="AutoMapper" Version="13.0.1" />
         <PackageReference Include="DotNetEnv" Version="3.1.0" />
+        <PackageReference Include="HtmlSanitizer" Version="8.1.870" />
         <PackageReference Include="InMemoryDatabase" Version="1.0.0" />
         <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.7" />
         <PackageReference Include="Microsoft.AspNetCore.Identity" Version="2.2.0" />