From 9a69be445d18f4205811fc6ea000ccfb27f8e07a Mon Sep 17 00:00:00 2001
From: Stephan van Rooij <1292510+svrooij@users.noreply.github.com>
Date: Sun, 26 Jan 2025 14:53:24 +0100
Subject: [PATCH 1/2] Throw error on `https://` and `http://` prefix if present
 in allowed host value

Fixes #201

Add error handling for 'https://' and 'http://' prefixes in allowed host values.

* Modify `AllowedHostsValidator` class in `packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py` to throw a `ValueError` if any allowed host contains 'https://' or 'http://' prefix.
* Add a check in the `__init__` method and `set_allowed_hosts` method to throw a `ValueError` if any allowed host contains 'https://' or 'http://' prefix.
* Add tests in `packages/abstractions/tests/authentication/test_api_key_authentication_provider.py` to verify that a `ValueError` is thrown when 'https://' or 'http://' prefix is present in allowed host value.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/microsoft/kiota-python/issues/201?shareId=XXXX-XXXX-XXXX-XXXX).
---
 .../authentication/allowed_hosts_validator.py      |  9 +++++++++
 .../test_api_key_authentication_provider.py        | 14 ++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py b/packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py
index 8858efaf..5e719970 100644
--- a/packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py
+++ b/packages/abstractions/kiota_abstractions/authentication/allowed_hosts_validator.py
@@ -16,6 +16,10 @@ def __init__(self, allowed_hosts: list[str]) -> None:
         if not isinstance(allowed_hosts, list):
             raise TypeError("Allowed hosts must be a list of strings")
 
+        for host in allowed_hosts:
+            if host.startswith("https://") or host.startswith("http://"):
+                raise ValueError("Allowed host value cannot contain 'https://' or 'http://' prefix")
+
         self.allowed_hosts: set[str] = {x.lower() for x in allowed_hosts}
 
     def get_allowed_hosts(self) -> list[str]:
@@ -35,6 +39,11 @@ def set_allowed_hosts(self, allowed_hosts: list[str]) -> None:
         """
         if not isinstance(allowed_hosts, list):
             raise TypeError("Allowed hosts must be a list of strings")
+
+        for host in allowed_hosts:
+            if host.startswith("https://") or host.startswith("http://"):
+                raise ValueError("Allowed host value cannot contain 'https://' or 'http://' prefix")
+
         self.allowed_hosts = {x.lower() for x in allowed_hosts}
 
     def is_url_host_valid(self, url: str) -> bool:
diff --git a/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py b/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
index 68d8c488..497cbf08 100644
--- a/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
+++ b/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
@@ -59,3 +59,17 @@ async def test_header_location_authentication(mock_request_information):
     await provider.authenticate_request(mock_request_information)
     assert "api_key" in mock_request_information.request_headers
     assert mock_request_information.headers.get("api_key") == {"test_key_string"}
+
+
+def test_https_prefix_in_allowed_host():
+    with pytest.raises(ValueError, match="Allowed host value cannot contain 'https://' or 'http://' prefix"):
+        ApiKeyAuthenticationProvider(
+            KeyLocation.Header, "test_key_string", "api_key", ["https://example.com"]
+        )
+
+
+def test_http_prefix_in_allowed_host():
+    with pytest.raises(ValueError, match="Allowed host value cannot contain 'https://' or 'http://' prefix"):
+        ApiKeyAuthenticationProvider(
+            KeyLocation.Header, "test_key_string", "api_key", ["http://example.com"]
+        )

From 0768fde1585da423a8e142830d4c57ea2ea39c65 Mon Sep 17 00:00:00 2001
From: Stephan van Rooij <1292510+svrooij@users.noreply.github.com>
Date: Tue, 28 Jan 2025 13:40:25 +0000
Subject: [PATCH 2/2] fix(abstractions): Adjusted allowed_hosts in test to
 match requirements

---
 .../authentication/test_api_key_authentication_provider.py      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py b/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
index 497cbf08..3b00ce52 100644
--- a/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
+++ b/packages/abstractions/tests/authentication/test_api_key_authentication_provider.py
@@ -2,7 +2,7 @@
 
 from kiota_abstractions.authentication import ApiKeyAuthenticationProvider, AuthenticationProvider, KeyLocation
 
-allowed_hosts = ["https://example.com"]
+allowed_hosts = ["example.com"]
 
 
 def test_initialization():