Skip to content

fix: reject http:// URLs in PostGuardConfig to prevent plaintext credential leaks#15

Merged
rubenhensen merged 1 commit into
mainfrom
fix/validate-https-urls
May 12, 2026
Merged

fix: reject http:// URLs in PostGuardConfig to prevent plaintext credential leaks#15
rubenhensen merged 1 commit into
mainfrom
fix/validate-https-urls

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Validate PkgUrl and CryptifyUrl are absolute https:// URLs in PostGuard's constructor; throw ArgumentException otherwise.
  • Add opt-in AllowInsecureUrls (default false) to permit http://localhost for local development and testing.
  • Add an xUnit test project (tests/E4A.PostGuard.Tests) covering the rejection path (http, ftp, ws, relative, empty), the happy path, and the escape hatch.

Why

Closes #14. PostGuardConfig previously accepted any string for the URLs. A caller misconfigured with http://pkg.postguard.eu (typo, leaked dev config, etc.) would send their PostGuard API key as a Bearer token over plaintext — exactly the failure mode an IBE SDK should fail closed on.

Test plan

  • dotnet build E4A.PostGuard.slnx --configuration Release — green locally
  • dotnet test E4A.PostGuard.slnx --configuration Release — 13/13 pass
  • CI green on this PR

Notes

  • CI's build.yml does not currently invoke dotnet test. The bot doesn't have the workflows permission to update it in this PR; a follow-up will wire the test step in.
  • Behaviour change: any caller currently passing an http:// URL will now hit ArgumentException on new PostGuard(config). The README only documents the production https:// URL, so this should be an empty set in practice — but worth flagging.

Reviewer quickstart

git fetch origin && git checkout fix/validate-https-urls && dotnet test E4A.PostGuard.slnx --configuration Release

Reject non-https URLs in the PostGuard constructor to prevent the SDK from
sending API keys and signing keys over plaintext connections after a config
typo. Add AllowInsecureUrls opt-in for local development against
http://localhost.

Closes #14

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dobby-coder dobby-coder Bot requested a review from rubenhensen May 11, 2026 22:53
@dobby-coder dobby-coder Bot marked this pull request as ready for review May 11, 2026 22:53
@dobby-coder dobby-coder Bot marked this pull request as draft May 11, 2026 22:53
@rubenhensen rubenhensen marked this pull request as ready for review May 12, 2026 07:18
@rubenhensen rubenhensen merged commit 3fac2a8 into main May 12, 2026
1 check passed
@rubenhensen rubenhensen deleted the fix/validate-https-urls branch May 12, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PostGuardConfig accepts http:// URLs — API key would be sent in cleartext

1 participant