chg-meridian / chg.extensions.security.txt Goto Github PK

Is your feature request related to a problem? Please describe.
The RFC for security.txt supports redirects e.g. from app.example.com/.well-known/security.txt to example.com/.well-known/security.txt or from another-example.com//.well-known/security.txt to example.com/.well-known/security.txt

Describe the solution you'd like
Would you support a new feature to allow this? Possible implementations I was thinking of include:

Service registration that passes in a Uri to redirect to

builder.Services.AddSecurityText(new Uri("https://example.com/.well-known/security.txt"));

OR using the existing TextBuilder approach

builder.Services.AddSecurityText(textBuilder =>
{
	textBuilder
		.SetRedirect(new Uri("https://example.com/.well-known/security.txt"))
});

Describe alternatives you've considered
None

Additional context
I'm happy to work on this and submit a pull request if you agree to the feature's implementation.

Does this project use any Continuous Integration Tool? If so, is it online? (TravisCI, CircleCI), or offline tool (Jenkins, Hudson).

Due to the recommendation by Microsoft (https://docs.microsoft.com/en-us/dotnet/standard/library-guidance/) this library should have a strong-name.

Hi,

The CreateComment method in the SecurityTextContainer uses ~~ as intermediate string for normalizing line endings in input data. This may lead to problems when the comment itself contains these characters. A better solution could be to replace those combinations with e.g. \n to avoid intermediate string placeholders that could be used in a regular comment.

Additionally the new line characters \r\n, \r and \n are replaced with Environment.NewLine which leads to different output depending on which plattform it is hosted. Maybe we should specify which line ending should be used more explicitly so the behaviour will be the same regardless of the plattform that hosts the middleware. Is it a candidate for options/settings?

Describe the bug
app.UseSecurityText()
throws exception, when loading from a text file, even when file does contain the Contact: directive.

Expected Behavior

Shouldn't throw exception

Actual Behavior

Exception thrown: 'CHG.Extensions.Security.Txt.InvalidSecurityInformationException' in CHG.Extensions.Security.Txt.dll
An exception of type 'CHG.Extensions.Security.Txt.InvalidSecurityInformationException' occurred in CHG.Extensions.Security.Txt.dll but was not handled in user code
The "Contact: " directive MUST always be present in a security.txt file.

Steps to Reproduce the Problem

1. Create security.txt file on root in MVC Core 2.1
2. Add content security.txt of following with a newline at EOF:
   Contact: mailto:[email protected]
3. add following to ConfigureServices in Startup.cs

    services.AddSecurityText(builder =>
    builder.ReadFromFile("./security.txt")
    );

4. add following to Configure in Startup.cs before app.UseMvc call:
   app.UseSecurityText()
5. Build project and run. Exception is thrown.

Specifications

• Version: 0.1.1
• Platform: Windows 10, Core MVC 2.1