ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6173/csharp/how-to-fix-it/dotnet.adoc

79 lines
1.6 KiB
Plaintext
Raw Permalink Normal View History

Create rule S6173: Reflection should not be vulnerable to injection attacks (C#), move to LaYC format (#2644) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6173/csharp) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
2023-07-28 17:38:46 +02:00
== How to fix it in .NET
=== Code examples
include::../../common/fix/code-rationale.adoc[]
==== Noncompliant code example
[source,csharp,diff-id=1,diff-type=noncompliant]
----
public class ExampleController : Controller
{
public IActionResult Apply(string EffectName)
{
var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}
----
==== Compliant solution
[source,csharp,diff-id=1,diff-type=compliant]
----
public class ExampleController : Controller
{
private static readonly string[] EFFECT_ALLOW_LIST = {
"SepiaEffect",
"BlackAndWhiteEffect",
"WaterColorEffect",
"OilPaintingEffect"
};
public IActionResult Apply(string EffectName)
{
if (!EFFECT_ALLOW_LIST.Contains(EffectName))
{
return BadRequest("Invalid effect name. The effect is not allowed.");
}
var EffectInstance = Activator.CreateInstance(null, EffectName);
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}
----
=== How does this work?
include::../../common/fix/pre-approved-list.adoc[]
Reference in New Issue Copy Permalink