From 67a1f2dda9bcb5795033b0c0ce775d931627fe17 Mon Sep 17 00:00:00 2001
From: Ryan Nowak <nowakra@gmail.com>
Date: Fri, 5 Oct 2018 21:48:43 -0700
Subject: [PATCH] Add security text about Host header

---
 .../IUrlHelper.cs                             | 30 +++++-
 .../UrlHelperExtensions.cs                    | 96 +++++++++++++++++--
 2 files changed, 114 insertions(+), 12 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Mvc.Abstractions/IUrlHelper.cs b/src/Microsoft.AspNetCore.Mvc.Abstractions/IUrlHelper.cs
index 33a23fef25..8a0a75db9e 100644
--- a/src/Microsoft.AspNetCore.Mvc.Abstractions/IUrlHelper.cs
+++ b/src/Microsoft.AspNetCore.Mvc.Abstractions/IUrlHelper.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Routing;
 
 namespace Microsoft.AspNetCore.Mvc
@@ -19,10 +20,18 @@ namespace Microsoft.AspNetCore.Mvc
         /// Generates a URL with an absolute path for an action method, which contains the action
         /// name, controller name, route values, protocol to use, host name, and fragment specified by
         /// <see cref="UrlActionContext"/>. Generates an absolute URL if <see cref="UrlActionContext.Protocol"/> and
-        /// <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
+        /// <see cref="UrlActionContext.Host"/> are non-<c>null</c>. See the remarks section for important security information.
         /// </summary>
         /// <param name="actionContext">The context object for the generated URLs for an action method.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <see cref="UrlActionContext.Host" /> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         string Action(UrlActionContext actionContext);
 
         /// <summary>
@@ -65,19 +74,36 @@ namespace Microsoft.AspNetCore.Mvc
         /// Generates a URL with an absolute path, which contains the route name, route values, protocol to use, host
         /// name, and fragment specified by <see cref="UrlRouteContext"/>. Generates an absolute URL if
         /// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
+        /// See the remarks section for important security information.
         /// </summary>
         /// <param name="routeContext">The context object for the generated URLs for a route.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <see cref="UrlRouteContext.Host" /> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         string RouteUrl(UrlRouteContext routeContext);
 
         /// <summary>
         /// Generates an absolute URL for the specified <paramref name="routeName"/> and route
         /// <paramref name="values"/>, which contains the protocol (such as "http" or "https") and host name from the
-        /// current request.
+        /// current request. See the remarks section for important security information.
         /// </summary>
         /// <param name="routeName">The name of the route that is used to generate URL.</param>
         /// <param name="values">An object that contains route values.</param>
         /// <returns>The generated absolute URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
+        /// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless 
+        /// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly 
+        /// validate the <c>Host</c> header in your deployment environment.
+        /// </para>
+        /// </remarks>
         string Link(string routeName, object values);
     }
 }
diff --git a/src/Microsoft.AspNetCore.Mvc.Core/UrlHelperExtensions.cs b/src/Microsoft.AspNetCore.Mvc.Core/UrlHelperExtensions.cs
index e790b879ef..40c673da8c 100644
--- a/src/Microsoft.AspNetCore.Mvc.Core/UrlHelperExtensions.cs
+++ b/src/Microsoft.AspNetCore.Mvc.Core/UrlHelperExtensions.cs
@@ -2,9 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using Microsoft.AspNetCore.Mvc.Core;
-using Microsoft.AspNetCore.Mvc.Internal;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Routing;
 using Microsoft.AspNetCore.Routing;
 
@@ -108,7 +106,7 @@ namespace Microsoft.AspNetCore.Mvc
         /// <summary>
         /// Generates a URL with an absolute path for an action method, which contains the specified
         /// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>, and
-        /// <paramref name="protocol"/> to use.
+        /// <paramref name="protocol"/> to use. See the remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="action">The name of the action method.</param>
@@ -116,6 +114,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="values">An object that contains route values.</param>
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
+        /// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless 
+        /// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly 
+        /// validate the <c>Host</c> header in your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Action(
             this IUrlHelper helper,
             string action,
@@ -136,7 +142,7 @@ namespace Microsoft.AspNetCore.Mvc
         /// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>,
         /// <paramref name="protocol"/> to use, and <paramref name="host"/> name.
         /// Generates an absolute URL if the <paramref name="protocol"/> and <paramref name="host"/> are
-        /// non-<c>null</c>.
+        /// non-<c>null</c>. See the remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="action">The name of the action method.</param>
@@ -145,6 +151,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <param name="host">The host name for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Action(
             this IUrlHelper helper,
             string action,
@@ -166,7 +180,7 @@ namespace Microsoft.AspNetCore.Mvc
         /// <paramref name="action"/> name, <paramref name="controller"/> name, route <paramref name="values"/>,
         /// <paramref name="protocol"/> to use, <paramref name="host"/> name, and <paramref name="fragment"/>.
         /// Generates an absolute URL if the <paramref name="protocol"/> and <paramref name="host"/> are
-        /// non-<c>null</c>.
+        /// non-<c>null</c>. See the remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="action">The name of the action method.</param>
@@ -176,6 +190,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="host">The host name for the URL.</param>
         /// <param name="fragment">The fragment for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Action(
             this IUrlHelper helper,
             string action,
@@ -253,13 +275,22 @@ namespace Microsoft.AspNetCore.Mvc
 
         /// <summary>
         /// Generates a URL with an absolute path for the specified route <paramref name="routeName"/> and route
-        /// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use.
+        /// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use. See the
+        /// remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="routeName">The name of the route that is used to generate URL.</param>
         /// <param name="values">An object that contains route values.</param>
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
+        /// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless 
+        /// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly 
+        /// validate the <c>Host</c> header in your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string RouteUrl(
             this IUrlHelper helper,
             string routeName,
@@ -279,6 +310,7 @@ namespace Microsoft.AspNetCore.Mvc
         /// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use and
         /// <paramref name="host"/> name. Generates an absolute URL if
         /// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
+        /// See the remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="routeName">The name of the route that is used to generate URL.</param>
@@ -286,6 +318,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <param name="host">The host name for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string RouteUrl(
             this IUrlHelper helper,
             string routeName,
@@ -306,6 +346,7 @@ namespace Microsoft.AspNetCore.Mvc
         /// <paramref name="values"/>, which contains the specified <paramref name="protocol"/> to use,
         /// <paramref name="host"/> name and <paramref name="fragment"/>. Generates an absolute URL if
         /// <see cref="UrlActionContext.Protocol"/> and <see cref="UrlActionContext.Host"/> are non-<c>null</c>.
+        /// See the remarks section for important security information.
         /// </summary>
         /// <param name="helper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="routeName">The name of the route that is used to generate URL.</param>
@@ -314,6 +355,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="host">The host name for the URL.</param>
         /// <param name="fragment">The fragment for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string RouteUrl(
             this IUrlHelper helper,
             string routeName,
@@ -382,7 +431,8 @@ namespace Microsoft.AspNetCore.Mvc
             => Page(urlHelper, pageName, pageHandler, values, protocol: null);
 
         /// <summary>
-        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
+        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section
+        /// for important security information.
         /// </summary>
         /// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="pageName">The page name to generate the url for.</param>
@@ -390,6 +440,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="values">An object that contains route values.</param>
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// This method uses the value of <see cref="HttpRequest.Host"/> to populate the host section of the generated URI.
+        /// Relying on the value of the current request can allow untrusted input to influence the resulting URI unless 
+        /// the <c>Host</c> header has been validated. See the deployment documentation for instructions on how to properly 
+        /// validate the <c>Host</c> header in your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Page(
             this IUrlHelper urlHelper,
             string pageName,
@@ -399,7 +457,8 @@ namespace Microsoft.AspNetCore.Mvc
             => Page(urlHelper, pageName, pageHandler, values, protocol, host: null, fragment: null);
 
         /// <summary>
-        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
+        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section for 
+        /// important security information.
         /// </summary>
         /// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="pageName">The page name to generate the url for.</param>
@@ -408,6 +467,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="protocol">The protocol for the URL, such as "http" or "https".</param>
         /// <param name="host">The host name for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Page(
             this IUrlHelper urlHelper,
             string pageName,
@@ -418,7 +485,8 @@ namespace Microsoft.AspNetCore.Mvc
             => Page(urlHelper, pageName, pageHandler, values, protocol, host, fragment: null);
 
         /// <summary>
-        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>.
+        /// Generates a URL with an absolute path for the specified <paramref name="pageName"/>. See the remarks section for
+        /// important security information.
         /// </summary>
         /// <param name="urlHelper">The <see cref="IUrlHelper"/>.</param>
         /// <param name="pageName">The page name to generate the url for.</param>
@@ -428,6 +496,14 @@ namespace Microsoft.AspNetCore.Mvc
         /// <param name="host">The host name for the URL.</param>
         /// <param name="fragment">The fragment for the URL.</param>
         /// <returns>The generated URL.</returns>
+        /// <remarks>
+        /// <para>
+        /// The value of <paramref name="host"/> should be a trusted value. Relying on the value of the current request
+        /// can allow untrusted input to influence the resulting URI unless the <c>Host</c> header has been validated.
+        /// See the deployment documentation for instructions on how to properly validate the <c>Host</c> header in
+        /// your deployment environment.
+        /// </para>
+        /// </remarks>
         public static string Page(
             this IUrlHelper urlHelper,
             string pageName,