src/Umbraco.Core/HealthCheck/Checks/Security/BaseHttpHeaderCheck.cs

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Text.RegularExpressions;
using System.Xml.Linq;
using System.Xml.XPath;
using Umbraco.Core;
using Umbraco.Core.IO;
using Umbraco.Core.Services;

namespace Umbraco.Web.HealthCheck.Checks.Security
{
    public abstract class BaseHttpHeaderCheck : HealthCheck
    {
        protected ILocalizedTextService TextService { get; }

        private const string SetHeaderInConfigAction = "setHeaderInConfig";

        private readonly string _header;
        private readonly string _value;
        private readonly string _localizedTextPrefix;
        private readonly bool _metaTagOptionAvailable;
        private readonly IRequestAccessor _requestAccessor;
        private readonly IIOHelper _ioHelper;

        protected BaseHttpHeaderCheck(
            IRequestAccessor requestAccessor,
            ILocalizedTextService textService,
            string header, string value, string localizedTextPrefix, bool metaTagOptionAvailable, IIOHelper ioHelper)
        {
            TextService = textService ?? throw new ArgumentNullException(nameof(textService));
            _requestAccessor = requestAccessor;
            _ioHelper = ioHelper;
            _header = header;
            _value = value;
            _localizedTextPrefix = localizedTextPrefix;
            _metaTagOptionAvailable = metaTagOptionAvailable;

        }

        /// <summary>
        /// Get the status for this health check
        /// </summary>
        /// <returns></returns>
        public override IEnumerable<HealthCheckStatus> GetStatus()
        {
            //return the statuses
            return new[] { CheckForHeader() };
        }

        /// <summary>
        /// Executes the action and returns it's status
        /// </summary>
        /// <param name="action"></param>
        /// <returns></returns>
        public override HealthCheckStatus ExecuteAction(HealthCheckAction action)
        {
            switch (action.Alias)
            {
                case SetHeaderInConfigAction:
                    return SetHeaderInConfig();
                default:
                    throw new InvalidOperationException("HTTP Header action requested is either not executable or does not exist");
            }
        }

        protected HealthCheckStatus CheckForHeader()
        {
            var message = string.Empty;
            var success = false;

            // Access the site home page and check for the click-jack protection header or meta tag
            var url =  _requestAccessor.GetApplicationUrl();
            var request = WebRequest.Create(url);
            request.Method = "GET";
            try
            {
                var response = request.GetResponse();

                // Check first for header
                success = HasMatchingHeader(response.Headers.AllKeys);

                // If not found, and available, check for meta-tag
                if (success == false && _metaTagOptionAvailable)
                {
                    success = DoMetaTagsContainKeyForHeader(response);
                }

                message = success
                    ? TextService.Localize($"healthcheck/{_localizedTextPrefix}CheckHeaderFound")
                    : TextService.Localize($"healthcheck/{_localizedTextPrefix}CheckHeaderNotFound");
            }
            catch (Exception ex)
            {
                message = TextService.Localize("healthcheck/healthCheckInvalidUrl", new[] { url.ToString(), ex.Message });
            }

            var actions = new List<HealthCheckAction>();
            if (success == false)
            {
                actions.Add(new HealthCheckAction(SetHeaderInConfigAction, Id)
                {
                    Name = TextService.Localize("healthcheck/setHeaderInConfig"),
                    Description = TextService.Localize($"healthcheck/{_localizedTextPrefix}SetHeaderInConfigDescription")
                });
            }

            return
                new HealthCheckStatus(message)
                {
                    ResultType = success ? StatusResultType.Success : StatusResultType.Error,
                    Actions = actions
                };
        }

        private bool HasMatchingHeader(IEnumerable<string> headerKeys)
        {
            return headerKeys.Contains(_header, StringComparer.InvariantCultureIgnoreCase);
        }

        private bool DoMetaTagsContainKeyForHeader(WebResponse response)
        {
            using (var stream = response.GetResponseStream())
            {
                if (stream == null) return false;
                using (var reader = new StreamReader(stream))
                {
                    var html = reader.ReadToEnd();
                    var metaTags = ParseMetaTags(html);
                    return HasMatchingHeader(metaTags.Keys);
                }
            }
        }

        private static Dictionary<string, string> ParseMetaTags(string html)
        {
            var regex = new Regex("<meta http-equiv=\"(.+?)\" content=\"(.+?)\"", RegexOptions.IgnoreCase);

            return regex.Matches(html)
                .Cast<Match>()
                .ToDictionary(m => m.Groups[1].Value, m => m.Groups[2].Value);
        }

        private HealthCheckStatus SetHeaderInConfig()
        {
            var errorMessage = string.Empty;
            var success = SaveHeaderToConfigFile(out errorMessage);

            if (success)
            {
                return
                    new HealthCheckStatus(TextService.Localize(string.Format("healthcheck/{0}SetHeaderInConfigSuccess", _localizedTextPrefix)))
                    {
                        ResultType = StatusResultType.Success
                    };
            }

            return
                new HealthCheckStatus(TextService.Localize("healthcheck/setHeaderInConfigError", new [] { errorMessage }))
                {
                    ResultType = StatusResultType.Error
                };
        }

        private bool SaveHeaderToConfigFile(out string errorMessage)
        {
            try
            {
                // There don't look to be any useful classes defined in https://msdn.microsoft.com/en-us/library/system.web.configuration(v=vs.110).aspx
                // for working with the customHeaders section, so working with the XML directly.
                var configFile = _ioHelper.MapPath("~/Web.config");
                var doc = XDocument.Load(configFile);
                var systemWebServerElement = doc.XPathSelectElement("/configuration/system.webServer");
                var httpProtocolElement = systemWebServerElement.Element("httpProtocol");
                if (httpProtocolElement == null)
                {
                    httpProtocolElement = new XElement("httpProtocol");
                    systemWebServerElement.Add(httpProtocolElement);
                }

                var customHeadersElement = httpProtocolElement.Element("customHeaders");
                if (customHeadersElement == null)
                {
                    customHeadersElement = new XElement("customHeaders");
                    httpProtocolElement.Add(customHeadersElement);
                }

                var removeHeaderElement = customHeadersElement.Elements("remove")
                    .SingleOrDefault(x => x.Attribute("name")?.Value.Equals(_value, StringComparison.InvariantCultureIgnoreCase) == true);
                if (removeHeaderElement == null)
                {
                    customHeadersElement.Add(
                        new XElement("remove",
                            new XAttribute("name", _header)));
                }

                var addHeaderElement = customHeadersElement.Elements("add")
                    .SingleOrDefault(x => x.Attribute("name")?.Value.Equals(_header, StringComparison.InvariantCultureIgnoreCase) == true);
                if (addHeaderElement == null)
                {
                    customHeadersElement.Add(
                        new XElement("add",
                            new XAttribute("name", _header),
                            new XAttribute("value", _value)));
                }

                doc.Save(configFile);

                errorMessage = string.Empty;
                return true;
            }
            catch (Exception ex)
            {
                errorMessage = ex.Message;
                return false;
            }
        }
    }
}
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								using System;
 								using System.Collections.Generic;
 								using System.IO;
 								using System.Linq;
 								using System.Net;
 								using System.Text.RegularExpressions;
 								using System.Xml.Linq;
 								using System.Xml.XPath;
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								using Umbraco.Core;
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
+								using Umbraco.Core.IO;
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								using Umbraco.Core.Services;
 								namespace Umbraco.Web.HealthCheck.Checks.Security
 								{
 								    public abstract class BaseHttpHeaderCheck : HealthCheck
 								    {
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								        protected ILocalizedTextService TextService { get; }
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
 								        private const string SetHeaderInConfigAction = "setHeaderInConfig";
 								        private readonly string _header;
 								        private readonly string _value;
 								        private readonly string _localizedTextPrefix;
 								        private readonly bool _metaTagOptionAvailable;
-												AB#6233 - Handle ApplicationUrl

											
										
										
											2020-05-07 09:34:16 +02:00
+								        private readonly IRequestAccessor _requestAccessor;
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
+								        private readonly IIOHelper _ioHelper;
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								        protected BaseHttpHeaderCheck(
-												AB#6233 - Handle ApplicationUrl

											
										
										
											2020-05-07 09:34:16 +02:00
+								            IRequestAccessor requestAccessor,
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								            ILocalizedTextService textService,
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
+								            string header, string value, string localizedTextPrefix, bool metaTagOptionAvailable, IIOHelper ioHelper)
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								        {
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								            TextService = textService ?? throw new ArgumentNullException(nameof(textService));
-												AB#6233 - Handle ApplicationUrl

											
										
										
											2020-05-07 09:34:16 +02:00
+								            _requestAccessor = requestAccessor;
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
+								            _ioHelper = ioHelper;
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								            _header = header;
 								            _value = value;
 								            _localizedTextPrefix = localizedTextPrefix;
 								            _metaTagOptionAvailable = metaTagOptionAvailable;
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								        }
 								        /// <summary>
 								        /// Get the status for this health check
 								        /// </summary>
 								        /// <returns></returns>
 								        public override IEnumerable<HealthCheckStatus> GetStatus()
 								        {
 								            //return the statuses
 								            return new[] { CheckForHeader() };
 								        }
 								        /// <summary>
 								        /// Executes the action and returns it's status
 								        /// </summary>
 								        /// <param name="action"></param>
 								        /// <returns></returns>
 								        public override HealthCheckStatus ExecuteAction(HealthCheckAction action)
 								        {
 								            switch (action.Alias)
 								            {
 								                case SetHeaderInConfigAction:
 								                    return SetHeaderInConfig();
 								                default:
 								                    throw new InvalidOperationException("HTTP Header action requested is either not executable or does not exist");
 								            }
 								        }
 								        protected HealthCheckStatus CheckForHeader()
 								        {
 								            var message = string.Empty;
 								            var success = false;
 								            // Access the site home page and check for the click-jack protection header or meta tag
-												AB#6233 - Handle ApplicationUrl

											
										
										
											2020-05-07 09:34:16 +02:00
+								            var url =  _requestAccessor.GetApplicationUrl();
-												Merge branch 'u4-9983' of https://github.com/AndyButland/Umbraco-CMS into AndyButland-u4-9983

# Conflicts:
#	src/Umbraco.Web.UI/umbraco/config/lang/en.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/HttpsCheck.cs

											
										
										
											2018-04-12 17:59:11 +02:00
+								            var request = WebRequest.Create(url);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								            request.Method = "GET";
 								            try
 								            {
 								                var response = request.GetResponse();
 								                // Check first for header
-												V8: Health check http header case sensitivity (#6753)


											
										
										
											2019-10-28 17:04:20 +00:00
+								                success = HasMatchingHeader(response.Headers.AllKeys);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
 								                // If not found, and available, check for meta-tag
 								                if (success == false && _metaTagOptionAvailable)
 								                {
 								                    success = DoMetaTagsContainKeyForHeader(response);
 								                }
 								                message = success
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								                    ? TextService.Localize($"healthcheck/{_localizedTextPrefix}CheckHeaderFound")
 								                    : TextService.Localize($"healthcheck/{_localizedTextPrefix}CheckHeaderNotFound");
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								            }
 								            catch (Exception ex)
 								            {
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								                message = TextService.Localize("healthcheck/healthCheckInvalidUrl", new[] { url.ToString(), ex.Message });
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								            }
 								            var actions = new List<HealthCheckAction>();
 								            if (success == false)
 								            {
 								                actions.Add(new HealthCheckAction(SetHeaderInConfigAction, Id)
 								                {
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								                    Name = TextService.Localize("healthcheck/setHeaderInConfig"),
 								                    Description = TextService.Localize($"healthcheck/{_localizedTextPrefix}SetHeaderInConfigDescription")
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                });
 								            }
 								            return
 								                new HealthCheckStatus(message)
 								                {
 								                    ResultType = success ? StatusResultType.Success : StatusResultType.Error,
 								                    Actions = actions
 								                };
 								        }
-												V8: Health check http header case sensitivity (#6753)


											
										
										
											2019-10-28 17:04:20 +00:00
+								        private bool HasMatchingHeader(IEnumerable<string> headerKeys)
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								        {
-												V8: Health check http header case sensitivity (#6753)


											
										
										
											2019-10-28 17:04:20 +00:00
+								            return headerKeys.Contains(_header, StringComparer.InvariantCultureIgnoreCase);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								        }
 								        private bool DoMetaTagsContainKeyForHeader(WebResponse response)
 								        {
 								            using (var stream = response.GetResponseStream())
 								            {
 								                if (stream == null) return false;
 								                using (var reader = new StreamReader(stream))
 								                {
 								                    var html = reader.ReadToEnd();
 								                    var metaTags = ParseMetaTags(html);
-												V8: Health check http header case sensitivity (#6753)


											
										
										
											2019-10-28 17:04:20 +00:00
+								                    return HasMatchingHeader(metaTags.Keys);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                }
 								            }
 								        }
 								        private static Dictionary<string, string> ParseMetaTags(string html)
 								        {
 								            var regex = new Regex("<meta http-equiv=\"(.+?)\" content=\"(.+?)\"", RegexOptions.IgnoreCase);
 								            return regex.Matches(html)
 								                .Cast<Match>()
 								                .ToDictionary(m => m.Groups[1].Value, m => m.Groups[2].Value);
 								        }
 								        private HealthCheckStatus SetHeaderInConfig()
 								        {
 								            var errorMessage = string.Empty;
 								            var success = SaveHeaderToConfigFile(out errorMessage);
 								            if (success)
 								            {
 								                return
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								                    new HealthCheckStatus(TextService.Localize(string.Format("healthcheck/{0}SetHeaderInConfigSuccess", _localizedTextPrefix)))
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                    {
 								                        ResultType = StatusResultType.Success
 								                    };
 								            }
 								            return
-												Merge remote-tracking branch 'origin/dev-v7' into dev-v8

# Conflicts:
#	src/SolutionInfo.cs
#	src/Umbraco.Core/Configuration/UmbracoVersion.cs
#	src/Umbraco.Core/Persistence/Migrations/MigrationRunner.cs
#	src/Umbraco.Core/Persistence/PetaPoco.cs
#	src/Umbraco.Core/Scoping/NoScope.cs
#	src/Umbraco.Core/Scoping/ScopeProvider.cs
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Core/Services/IContentService.cs
#	src/Umbraco.Tests/Persistence/Migrations/MigrationStartupHandlerTests.cs
#	src/Umbraco.Tests/UI/LegacyDialogTests.cs
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/contentpicker/contentpicker.controller.js
#	src/Umbraco.Web.UI/umbraco/config/create/UI.xml
#	src/Umbraco.Web.UI/umbraco/config/lang/zh.xml
#	src/Umbraco.Web/BatchedDatabaseServerMessenger.cs
#	src/Umbraco.Web/Editors/ContentController.cs
#	src/Umbraco.Web/Editors/MediaTypeController.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
#	src/Umbraco.Web/HealthCheck/Checks/Security/ExcessiveHeadersCheck.cs
#	src/Umbraco.Web/Models/Mapping/ContentModelMapper.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyBasicConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDisplayConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyDtoConverter.cs
#	src/Umbraco.Web/Models/Mapping/ContentPropertyModelMapper.cs
#	src/Umbraco.Web/PropertyEditors/NestedContentPropertyEditor.cs
#	src/Umbraco.Web/PropertyEditors/ParameterEditors/MultipleContentPickerParameterEditor.cs
#	src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
#	src/Umbraco.Web/umbraco.presentation/umbraco/create/MemberGroupTasks.cs

											
										
										
											2018-04-19 23:41:35 +10:00
+								                new HealthCheckStatus(TextService.Localize("healthcheck/setHeaderInConfigError", new [] { errorMessage }))
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                {
 								                    ResultType = StatusResultType.Error
 								                };
 								        }
 								        private bool SaveHeaderToConfigFile(out string errorMessage)
 								        {
 								            try
 								            {
 								                // There don't look to be any useful classes defined in https://msdn.microsoft.com/en-us/library/system.web.configuration(v=vs.110).aspx
 								                // for working with the customHeaders section, so working with the XML directly.
-												Moving Security HealthChecks to Abstractions proj

											
										
										
											2020-01-27 16:38:02 +01:00
+								                var configFile = _ioHelper.MapPath("~/Web.config");
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                var doc = XDocument.Load(configFile);
 								                var systemWebServerElement = doc.XPathSelectElement("/configuration/system.webServer");
 								                var httpProtocolElement = systemWebServerElement.Element("httpProtocol");
 								                if (httpProtocolElement == null)
 								                {
 								                    httpProtocolElement = new XElement("httpProtocol");
 								                    systemWebServerElement.Add(httpProtocolElement);
 								                }
 								                var customHeadersElement = httpProtocolElement.Element("customHeaders");
 								                if (customHeadersElement == null)
 								                {
 								                    customHeadersElement = new XElement("customHeaders");
 								                    httpProtocolElement.Add(customHeadersElement);
 								                }
 								                var removeHeaderElement = customHeadersElement.Elements("remove")
-												Fix for #3510 - health check for http headers was case sensitive, but HTTP spec states http headers are case insensitive

											
										
										
											2019-10-17 15:06:43 +01:00
+								                    .SingleOrDefault(x => x.Attribute("name")?.Value.Equals(_value, StringComparison.InvariantCultureIgnoreCase) == true);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                if (removeHeaderElement == null)
 								                {
-												Fix for #3510 - health check for http headers was case sensitive, but HTTP spec states http headers are case insensitive

											
										
										
											2019-10-17 15:06:43 +01:00
+								                    customHeadersElement.Add(
 								                        new XElement("remove",
 								                            new XAttribute("name", _header)));
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                }
 								                var addHeaderElement = customHeadersElement.Elements("add")
-												Fix for #3510 - health check for http headers was case sensitive, but HTTP spec states http headers are case insensitive

											
										
										
											2019-10-17 15:06:43 +01:00
+								                    .SingleOrDefault(x => x.Attribute("name")?.Value.Equals(_header, StringComparison.InvariantCultureIgnoreCase) == true);
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                if (addHeaderElement == null)
 								                {
-												Fix for #3510 - health check for http headers was case sensitive, but HTTP spec states http headers are case insensitive

											
										
										
											2019-10-17 15:06:43 +01:00
+								                    customHeadersElement.Add(
 								                        new XElement("add",
 								                            new XAttribute("name", _header),
 								                            new XAttribute("value", _value)));
-												Added check for X-Content-Type-Options and refactored existing HTTP header check to use common base class.

											
										
										
											2017-06-04 14:34:37 +02:00
+								                }
 								                doc.Save(configFile);
 								                errorMessage = string.Empty;
 								                return true;
 								            }
 								            catch (Exception ex)
 								            {
 								                errorMessage = ex.Message;
 								                return false;
 								            }
 								        }
 								    }
 								}