Handle malformed origin Uri (#139)

Addresses aspnet/Home#2318

src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs

@@ -16,11 +16,16 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             {
                 return true;
             }
-            var originUri = new Uri(origin, UriKind.Absolute);
-            return policy.Origins
-                .Where(o => o.Contains($"://{_WildcardSubdomain}"))
-                .Select(CreateDomainUri)
-                .Any(domain => UriHelpers.IsSubdomainOf(originUri, domain));
+
+            if (Uri.TryCreate(origin, UriKind.Absolute, out var originUri))
+            {
+                return policy.Origins
+                    .Where(o => o.Contains($"://{_WildcardSubdomain}"))
+                    .Select(CreateDomainUri)
+                    .Any(domain => UriHelpers.IsSubdomainOf(originUri, domain));
+            }
+
+            return false;
         }
 
         private static Uri CreateDomainUri(string origin)

test/Microsoft.AspNetCore.Cors.Test/CorsPolicyExtensionsTests.cs

@@ -23,6 +23,26 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             Assert.True(actual);
         }
 
+        [Theory]
+        [InlineData(null)]
+        [InlineData("null")]
+        [InlineData("http://")]
+        [InlineData("http://*")]
+        [InlineData("http://.domain")]
+        [InlineData("http://.domain/hello")]
+        public void IsOriginAnAllowedSubdomain_ReturnsFalseIfOriginIsMalformedUri(string malformedOrigin)
+        {
+            // Arrange
+            var policy = new CorsPolicy();
+            policy.Origins.Add("http://*.domain");
+
+            // Act
+            var actual = policy.IsOriginAnAllowedSubdomain(malformedOrigin);
+
+            // Assert
+            Assert.False(actual);
+        }
+
         [Theory]
         [InlineData("http://sub.domain", "http://*.domain")]
         [InlineData("http://sub.sub.domain", "http://*.domain")]