rspec/rules/S5144/csharp/how-to-fix-it/dotnet.adoc

=== How to fix it in ASP.NET

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
using System.Web;
using System.Web.Mvc;

public class ExampleController: Controller
{
    [HttpGet]
    public IActionResult ImageFetch(string location)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(location);

        return Ok();
    }
}
----

==== Compliant solution

[source,csharp,diff-id=1,diff-type=compliant]
----
using System.Web;
using System.Web.Mvc;

public class ExampleController: Controller
{
    private readonly string[] allowedSchemes = { "https" };
    private readonly string[] allowedDomains = { "trusted1.example.com", "trusted2.example.com" };

    [HttpGet]
    public IActionResult ImageFetch(string location)
    {
        Uri uri = new Uri(location);

        if (!allowedDomains.Contains(uri.Host) && !allowedSchemes.Contains(uri.Scheme))
        {
            return BadRequest();
        }

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);

        return Ok();
    }
}
----

include::../../common/fix/how-does-this-work.adoc[]

The compliant code example uses such an approach.

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`=== How to fix it in ASP.NET`

			`include::../../common/fix/code-rationale.adoc[]`

Education text Fix (#1338) 2022-10-18 16:03:10 +02:00			`==== Noncompliant code example`
Modify All Current Education Rules: Support intuitive view (#1256) 2022-09-15 10:28:08 +02:00
			`[source,csharp,diff-id=1,diff-type=noncompliant]`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`----`
			`using System.Web;`
			`using System.Web.Mvc;`

Modify rule S5144[Python]: Change text to the education framework format (APPSEC-285) (#1401) 2022-11-23 17:38:23 +01:00			`public class ExampleController: Controller`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`{`
			`[HttpGet]`
			`public IActionResult ImageFetch(string location)`
			`{`
Modify All Current Education Rules: Support intuitive view (#1256) 2022-09-15 10:28:08 +02:00			`HttpWebRequest request = (HttpWebRequest)WebRequest.Create(location);`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00
			`return Ok();`
			`}`
			`}`
			`----`
Modify All Current Education Rules: Support intuitive view (#1256) 2022-09-15 10:28:08 +02:00
			`==== Compliant solution`

			`[source,csharp,diff-id=1,diff-type=compliant]`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`----`
			`using System.Web;`
			`using System.Web.Mvc;`

Modify rule S5144[Python]: Change text to the education framework format (APPSEC-285) (#1401) 2022-11-23 17:38:23 +01:00			`public class ExampleController: Controller`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`{`
Modify rule S5144[Python]: Change text to the education framework format (APPSEC-285) (#1401) 2022-11-23 17:38:23 +01:00			`private readonly string[] allowedSchemes = { "https" };`
			`private readonly string[] allowedDomains = { "trusted1.example.com", "trusted2.example.com" };`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00
			`[HttpGet]`
			`public IActionResult ImageFetch(string location)`
			`{`
			`Uri uri = new Uri(location);`

Modify rule S5144[Python]: Change text to the education framework format (APPSEC-285) (#1401) 2022-11-23 17:38:23 +01:00			`if (!allowedDomains.Contains(uri.Host) && !allowedSchemes.Contains(uri.Scheme))`
[APPSEC-90] Modify rule S5144: Educational content (#1205) 2022-09-01 17:36:53 +02:00			`{`
			`return BadRequest();`
			`}`

			`HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);`

			`return Ok();`
			`}`
			`}`
			`----`

Modify All Current Education Rules: Support intuitive view (#1256) 2022-09-15 10:28:08 +02:00			`include::../../common/fix/how-does-this-work.adoc[]`
Modify Education Rules S514{4,6}: Add trailing slash pitfall (#1262) 2022-09-15 14:25:49 +02:00
Modify rule S5144[Python]: Change text to the education framework format (APPSEC-285) (#1401) 2022-11-23 17:38:23 +01:00			`The compliant code example uses such an approach.`

Modify Education Rules S514{4,6}: Add trailing slash pitfall (#1262) 2022-09-15 14:25:49 +02:00			`=== Pitfalls`

			`include::../../common/pitfalls/starts-with.adoc[]`