diff --git a/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs b/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs index 667c79d733b8..433512a231cc 100644 --- a/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs +++ b/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs @@ -54,6 +54,11 @@ public CorsPolicyBuilder(CorsPolicy policy) /// public CorsPolicyBuilder WithOrigins(params string[] origins) { + if (origins is null) + { + throw new ArgumentNullException(nameof(origins)); + } + foreach (var origin in origins) { var normalizedOrigin = GetNormalizedOrigin(origin); @@ -65,6 +70,11 @@ public CorsPolicyBuilder WithOrigins(params string[] origins) internal static string GetNormalizedOrigin(string origin) { + if (origin is null) + { + throw new ArgumentNullException(nameof(origin)); + } + if (Uri.TryCreate(origin, UriKind.Absolute, out var uri) && (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps) && !string.Equals(uri.IdnHost, uri.Host, StringComparison.Ordinal)) @@ -73,9 +83,9 @@ internal static string GetNormalizedOrigin(string origin) if (!uri.IsDefaultPort) { // Uri does not have a way to differentiate between a port value inferred by default (e.g. Port = 80 for http://www.example.com) and - // a default port value that is specified (e.g. Port = 80 for http://www.example.com:80). Although the HTTP or FETCH spec does not say + // a default port value that is specified (e.g. Port = 80 for http://www.example.com:80). Although the HTTP or FETCH spec does not say // anything about including the default port as part of the Origin header, at the time of writing, browsers drop "default" port when navigating - // and when sending the Origin header. All this goes to say, it appears OK to drop an explicitly specified port, + // and when sending the Origin header. All this goes to say, it appears OK to drop an explicitly specified port, // if it is the default port when working with an IDN host. builder.Port = uri.Port; } @@ -208,7 +218,7 @@ public CorsPolicyBuilder SetIsOriginAllowed(Func isOriginAllowed) /// /// Sets the property of the policy to be a function - /// that allows origins to match a configured wildcarded domain when evaluating if the + /// that allows origins to match a configured wildcarded domain when evaluating if the /// origin is allowed. /// /// The current policy builder. diff --git a/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs b/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs index f8d2e22fd444..82c7c0b4eea1 100644 --- a/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs +++ b/src/Middleware/CORS/test/UnitTests/CorsPolicyBuilderTests.cs @@ -139,6 +139,28 @@ public void WithOrigins_NormalizesOrigins() Assert.Equal(new List() { "http://www.example.com", "https://example2.com" }, corsPolicy.Origins); } + [Fact] + public void WithOrigins_ThrowsIfArgumentNull() + { + // Arrange + var builder = new CorsPolicyBuilder(); + string[] args = null; + + // Act / Assert + Assert.Throws(() => builder.WithOrigins(args)); + } + + [Fact] + public void WithOrigins_ThrowsIfArgumentArrayContainsNull() + { + // Arrange + var builder = new CorsPolicyBuilder(); + string[] args = new string[] { null }; + + // Act / Assert + Assert.Throws(() => builder.WithOrigins(args)); + } + [Fact] public void AllowAnyOrigin_AllowsAny() {