< Summary - Syki

Information

Class:	Syki.Back.Extensions.SsoExtensions
Assembly:	Back
File(s):	File 1: /_/Back/obj/Release/net10.0/System.Text.RegularExpressions.Generator/System.Text.RegularExpressions.Generator.RegexGenerator/RegexGenerator.g.cs File 2: /home/runner/work/syki/syki/Back/Extensions/SsoExtensions.cs
Tag:	56_26538939494

Line coverage

Covered lines:	0
Uncovered lines:	52
Coverable lines:	52
Total lines:	190
Line coverage:	0%

Branch coverage

Covered branches:	0
Total branches:	64
Branch coverage:	0%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
File 1: SsoDomainRegex()	100%	2	1	0%
File 2: ValidateSsoAuthority(...)	0%	42	6	0%
File 2: ValidateSsoHost(...)	0%	110	10	0%
File 2: NormalizeSsoDomain(...)	0%	42	6	0%
File 2: ValidateSsoIpAddress(...)	0%	1190	34	0%
File 2: IsPrivateSsoIpV4(...)	0%	72	8	0%

File(s)

/_/Back/obj/Release/net10.0/System.Text.RegularExpressions.Generator/System.Text.RegularExpressions.Generator.RegexGenerator/RegexGenerator.g.cs

File '/_/Back/obj/Release/net10.0/System.Text.RegularExpressions.Generator/System.Text.RegularExpressions.Generator.RegexGenerator/RegexGenerator.g.cs' does not exist (any more).

/home/runner/work/syki/syki/Back/Extensions/SsoExtensions.cs

#	Line	Line coverage
	`1`	`using System.Net;`
	`2`	`using System.Net.Sockets;`
	`3`	`using System.Text.RegularExpressions;`
	`4`
	`5`	`namespace Syki.Back.Extensions;`
	`6`
	`7`	`public static partial class SsoExtensions`
	`8`	`{`
	`9`	`extension(string value)`
	`10`	`{`
	`11`	`public SykiError? ValidateSsoAuthority()`
	`12`	`{`
	`13`	`// Must be valid URI`
0	`14`	`if (!Uri.TryCreate(value, UriKind.Absolute, out var uri))`
0	`15`	`return InvalidSsoAuthority.I;`
	`16`
	`17`	`// Must be HTTPS`
0	`18`	`if (uri.Scheme != Uri.UriSchemeHttps)`
0	`19`	`return SsoAuthorityMustBeHttps.I;`
	`20`
	`21`	`// Block URLs with userinfo (SSRF bypass: https://evil.com@169.254.169.254/)`
0	`22`	`if (uri.UserInfo.HasValue())`
0	`23`	`return SsoAuthorityHasUserInfo.I;`
	`24`
	`25`	`// Parse and validate the host`
0	`26`	`return uri.Host.ValidateSsoHost();`
	`27`	`}`
	`28`
	`29`	`public SykiError? ValidateSsoHost()`
	`30`	`{`
	`31`	`// Try to parse as IP address`
0	`32`	`if (IPAddress.TryParse(value, out var ip))`
0	`33`	`return ip.ValidateSsoIpAddress();`
	`34`
	`35`	`// It's a hostname - check for dangerous hostnames`
0	`36`	`var lowerHost = value.ToLowerInvariant();`
	`37`
	`38`	`// Block localhost variants (allow in dev/testing)`
0	`39`	`if (lowerHost is "localhost" or "localhost.localdomain")`
0	`40`	`return EnvironmentExtensions.IsDevelopmentOrTesting() ? null : SsoAuthorityLocalhostNotAllowed.I;`
	`41`
0	`42`	`return null;`
	`43`	`}`
	`44`
	`45`	`public string? NormalizeSsoDomain()`
	`46`	`{`
0	`47`	`if (string.IsNullOrWhiteSpace(value))`
0	`48`	`return null;`
	`49`
0	`50`	`var normalized = value.Trim().ToLowerInvariant();`
	`51`
	`52`	`// Remove @ if present at start`
0	`53`	`if (normalized.StartsWith('@'))`
0	`54`	`normalized = normalized[1..];`
	`55`
	`56`	`// Basic domain validation`
0	`57`	`if (!SsoDomainRegex().IsMatch(normalized))`
0	`58`	`return null;`
	`59`
0	`60`	`return normalized;`
	`61`	`}`
	`62`	`}`
	`63`
	`64`	`extension(IPAddress ip)`
	`65`	`{`
	`66`	`public SykiError? ValidateSsoIpAddress()`
	`67`	`{`
0	`68`	`var resolved = ip;`
0	`69`	`var isDevOrTest = EnvironmentExtensions.IsDevelopmentOrTesting();`
	`70`
	`71`	`// Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)`
0	`72`	`if (resolved.IsIPv4MappedToIPv6)`
0	`73`	`resolved = resolved.MapToIPv4();`
	`74`
	`75`	`// IPv6 checks`
0	`76`	`if (resolved.AddressFamily == AddressFamily.InterNetworkV6)`
	`77`	`{`
	`78`	`// Block IPv6 loopback (::1) — allow in dev/testing`
0	`79`	`if (IPAddress.IPv6Loopback.Equals(resolved))`
0	`80`	`return isDevOrTest ? null : SsoAuthorityLoopbackNotAllowed.I;`
	`81`
	`82`	`// Block IPv6 link-local (fe80::/10) — always blocked (cloud metadata risk)`
0	`83`	`if (resolved.IsIPv6LinkLocal)`
0	`84`	`return SsoAuthorityLinkLocalNotAllowed.I;`
	`85`
	`86`	`// Block IPv6 unique local addresses (fc00::/7 = fc00:: and fd00::) — allow in dev/testing`
0	`87`	`var bytes = resolved.GetAddressBytes();`
0	`88`	`if ((bytes[0] & 0xFE) == 0xFC) // fc00::/7`
0	`89`	`return isDevOrTest ? null : SsoAuthorityPrivateIpNotAllowed.I;`
	`90`
0	`91`	`return null;`
	`92`	`}`
	`93`
	`94`	`// IPv4 checks`
0	`95`	`var ipBytes = resolved.GetAddressBytes();`
	`96`
	`97`	`// Block 0.0.0.0 — always blocked`
0	`98`	`if (ipBytes[0] == 0 && ipBytes[1] == 0 && ipBytes[2] == 0 && ipBytes[3] == 0)`
0	`99`	`return SsoAuthorityLoopbackNotAllowed.I;`
	`100`
	`101`	`// Block entire loopback range 127.0.0.0/8 — allow in dev/testing`
0	`102`	`if (ipBytes[0] == 127)`
0	`103`	`return isDevOrTest ? null : SsoAuthorityLoopbackNotAllowed.I;`
	`104`
	`105`	`// Block entire link-local range 169.254.0.0/16 — always blocked (cloud metadata risk)`
0	`106`	`if (ipBytes[0] == 169 && ipBytes[1] == 254)`
0	`107`	`return SsoAuthorityLinkLocalNotAllowed.I;`
	`108`
	`109`	`// Block private IP ranges — allow in dev/testing`
0	`110`	`if (IsPrivateSsoIpV4(ipBytes))`
0	`111`	`return isDevOrTest ? null : SsoAuthorityPrivateIpNotAllowed.I;`
	`112`
0	`113`	`return null;`
	`114`	`}`
	`115`	`}`
	`116`
	`117`	`private static bool IsPrivateSsoIpV4(byte[] bytes)`
	`118`	`{`
0	`119`	`return bytes[0] switch`
0	`120`	`{`
0	`121`	`10 => true, // 10.0.0.0/8`
0	`122`	`172 => bytes[1] >= 16 && bytes[1] <= 31, // 172.16.0.0/12`
0	`123`	`192 => bytes[1] == 168, // 192.168.0.0/16`
0	`124`	`_ => false`
0	`125`	`};`
	`126`	`}`
	`127`
	`128`	`[GeneratedRegex(@"^[a-z0-9]([a-z0-9-][a-z0-9])?(\.[a-z0-9]([a-z0-9-][a-z0-9])?)+$")]`
	`129`	`private static partial Regex SsoDomainRegex();`
	`130`	`}`

< Summary - Syki

Metrics

File(s)

/_/Back/obj/Release/net10.0/System.Text.RegularExpressions.Generator/System.Text.RegularExpressions.Generator.RegexGenerator/RegexGenerator.g.cs

/home/runner/work/syki/syki/Back/Extensions/SsoExtensions.cs

Methods/Properties