twilio-csharp icon indicating copy to clipboard operation
twilio-csharp copied to clipboard

Published 20 hours ago verified publisher icon twilio

twilio security not working on my .net core 3.0/3.1 application properly

Open KamranShahid opened this issue 5 years ago • 19 comments

I have implemented validation as per https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-core-app-by-validating-incoming-twilio-requests

I have my .net core 3.0 application where callback url is like https://mydomain.com:81/Twilio/TwilioAction

Request validator seems always rejecting the validation.

Same code with my other deployment where my address is like https://myotherdomain.com/Twilio/TwilioAction is working fine.

It looks like due to following implementation in twilio RequestValidator

private string RemovePort(UriBuilder uri)
        {
            // UriBuilder.ToString() will not display the port 
            // if the Port property is set to -1
            uri.Port = -1;
            return uri.ToString();
        }

        private string AddPort(UriBuilder uri)
        {
            if (uri.Port != -1)
            {          
                return uri.ToString();
            }
            **uri.Port = uri.Scheme == "https" ? 443 : 80;**          
            return uri.ToString();
        }

I have even upgraded to release 5.37.1 but issue still exists

KamranShahid avatar Dec 10 '19 08:12 KamranShahid

Hello @KamranShahid,

Thanks for bringing this to our attention!

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

With best regards,

Elmer

thinkingserious avatar Dec 11 '19 15:12 thinkingserious

What sort of callback is this not working for?

childish-sambino avatar Dec 11 '19 16:12 childish-sambino

this is request validation as per recommendation from twilio.

KamranShahid avatar Dec 11 '19 17:12 KamranShahid

Yes, but which particular webhook is the request validation failing for? SMS, Voice, Conference, or something else?

childish-sambino avatar Dec 11 '19 18:12 childish-sambino

SMS

KamranShahid avatar Dec 11 '19 18:12 KamranShahid

If someone can hint what change i would do in https://github.com/twilio/twilio-csharp/blob/master/src/Twilio/Security/RequestValidator.cs then i will try out it locally in my project

KamranShahid avatar Dec 12 '19 17:12 KamranShahid

I don't know yet what the change would be. The line you've highlighted about adding a default port only applies if the URL doesn't contain a port, which in your case it should.

You can try debugging by seeing if the URL being fed into the validator matches the URL exactly as you've configured it in your SMS webhook.

childish-sambino avatar Dec 12 '19 17:12 childish-sambino

I don't know yet what the change would be. The line you've highlighted about adding a default port only applies if the URL doesn't contain a port, which in your case it should.

You can try debugging by seeing if the URL being fed into the validator matches the URL exactly as you've configured it in your SMS webhook.

then i might have to check what the value of my token with my url/form element compare to the one expected with X-Twilio-Signature and my token. Done this thing quite a while back and looks like i needed to do it again :(

KamranShahid avatar Dec 12 '19 19:12 KamranShahid

I would ignore the token for now and just focus on the first part: does the URL (protocol, host, port) being fed into the validator match what's configured in the SMS webhook?

childish-sambino avatar Dec 12 '19 19:12 childish-sambino

my url in web hook is like https://mysite.com:81/twilio/mytwilioaction as per above protocol https host mysite.com port 81

please try out this type of url

KamranShahid avatar Dec 12 '19 19:12 KamranShahid

There are unit tests that verify such URLs. What I'm asking is what URL is actually being fed into the validator? From the validation example, the code looks like this:

private static string RequestRawUrl(HttpRequest request)
{
    return $"{request.Scheme}://{request.Host}{request.Path}{request.QueryString}";
}

Is this what your code is doing? If so, what's the result?

childish-sambino avatar Dec 12 '19 19:12 childish-sambino

yes it is exactly like this and it is even working for my urls like https://mysite.com/twilio/mytwilioaction but not for https://mysite.com:81/twilio/mytwilioaction

I know about this validation and even did it in one of my old asp.net WCF application.

KamranShahid avatar Dec 12 '19 19:12 KamranShahid

Any update on this issue?

KamranShahid avatar Dec 19 '19 11:12 KamranShahid

I've not had a chance to come back to this yet to try to recreate what's going on here.

childish-sambino avatar Dec 20 '19 20:12 childish-sambino

I've not had a chance to come back to this yet to try to recreate what's going on here.

Ok Sambino

KamranShahid avatar Dec 21 '19 18:12 KamranShahid

Im having the same issue with the code Twilio provides for .net core request validation.

It fails every time.

yroush avatar Dec 26 '19 22:12 yroush

Im having the same issue with the code Twilio provides for .net core request validation.

It fails every time.

give some details. what's the callback url? is it https or http

KamranShahid avatar Dec 27 '19 06:12 KamranShahid

Im having the same issue with the code Twilio provides for .net core request validation. It fails every time.

give some details. what's the callback url? is it https or http

http callback url.

I tried hosting that url on both port 80 and another port, but the request validator still does not work.

The RequestRawURL function works properly, so I at least know that it isn't part of the problem.

yroush avatar Dec 27 '19 22:12 yroush

Spent a few hours now trying to figure this out, and I also cannot get Twilio's signature validation library to work on .NET 3.x. Using Twilio 5.39.0 on .NET 3.x.

winzig avatar Sep 25 '20 02:09 winzig