rspec/rules/S5146/java/how-to-fix-it/java-se.adoc

=== How to fix it in Java SE

include::../../common/fix/code-rationale.adoc[]

[cols="a"]
|===
h| Non-compliant code example
|
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String location = req.getParameter("url");
  resp.sendRedirect(location); // Noncompliant
}
----
h| Compliant solution
|
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String location = req.getParameter("url");

  List<String> allowedHosts = new ArrayList<String>();  
  allowedHosts.add("https://trusted1.example.com/");
  allowedHosts.add("https://trusted2.example.com/");

  if (allowedHosts.contains(location))
    resp.sendRedirect(location);
}
----
|===

include::../../common/fix/how-does-this-work.adoc[]
[APPSEC-59] Modify rule S5146: Educational content (Java) (#1146) 2022-08-05 12:24:14 +02:00			`=== How to fix it in Java SE`

			`include::../../common/fix/code-rationale.adoc[]`

			`[cols="a"]`
			`\|===`
			`h\| Non-compliant code example`
			`\|`
			`[source,java]`
			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String location = req.getParameter("url");`
			`resp.sendRedirect(location); // Noncompliant`
			`}`
			`----`
			`h\| Compliant solution`
			`\|`
			`[source,java]`
			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String location = req.getParameter("url");`

			`List<String> allowedHosts = new ArrayList<String>();`
			`allowedHosts.add("https://trusted1.example.com/");`
			`allowedHosts.add("https://trusted2.example.com/");`

			`if (allowedHosts.contains(location))`
			`resp.sendRedirect(location);`
			`}`
			`----`
			`\|===`

			`include::../../common/fix/how-does-this-work.adoc[]`