[PM-5731] feat: add incomplete rpId verification

2026-02-25 08:53:20 +00:00 · 2024-02-07 14:28:51 +01:00
parent ad8faec200
commit 0f5df0f6b0
2 changed files with 77 additions and 0 deletions
--- a/src/Core/Utilities/Fido2/Fido2DomainUtils.cs
+++ b/src/Core/Utilities/Fido2/Fido2DomainUtils.cs
@@ -0,0 +1,37 @@
+using System.Text.RegularExpressions;
+
+namespace Bit.Core.Utilities.Fido2
+{
+    public class Fido2DomainUtils
+    {
+        // TODO: This is a basic implementation of the domain validation logic, and is probably not correct.
+        // It doesn't support IP-adresses, and it doesn't follow the algorithm in the spec:
+        // https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to
+        public static bool IsValidRpId(string rpId, string origin)
+        {
+            if (rpId == null || origin == null)
+            {
+                return false;
+            }
+
+            // TODO: DomainName doesn't like it when we give it a URL with a protocol or port
+            // So we remove the protocol and port here, while still supporting ipv6 shortform
+            // https is enforced in the client, so we don't need to worry about that here
+            var originWithoutProtocolOrPort = Regex.Replace(origin, @"(https?://)?([^:/]+)(:\d+)?(/.*)?", "$2$4");
+
+            if (rpId == originWithoutProtocolOrPort)
+            {
+                return true;
+            }
+
+            if (!DomainName.TryParse(rpId, out var parsedRpId) || !DomainName.TryParse(originWithoutProtocolOrPort, out var parsedOrgin))
+            {
+                return false;
+            }
+
+            return parsedOrgin.Tld == parsedRpId.Tld && 
+                parsedOrgin.Domain == parsedRpId.Domain && 
+                (parsedOrgin.SubDomain == parsedRpId.SubDomain || parsedOrgin.SubDomain.EndsWith(parsedRpId.SubDomain));
+        }
+    }
+}