rspec/rules/S5122/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

=== ASP.NET Core MVC

----
[HttpGet]
public string Get()
{
    Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
    Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
}
----

----
public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(builder =>
        {
            builder.WithOrigins("*"); // Sensitive
        });

        options.AddPolicy(name: "EnableAllPolicy", builder =>
        {
            builder.WithOrigins("*"); // Sensitive
        });

        options.AddPolicy(name: "OtherPolicy", builder =>
        {
            builder.AllowAnyOrigin(); // Sensitive
        });
    });

    services.AddControllers();
}
----

=== ASP.NET MVC

----
public class HomeController : ApiController
{
    public HttpResponseMessage Get()
    {
        var response = HttpContext.Current.Response;

        response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive
    }
}
----

----
[EnableCors(origins: "*", headers: "*", methods: "GET")] // Sensitive
public HttpResponseMessage Get() => new HttpResponseMessage()
{
    Content = new StringContent("content")
};
----

== Compliant Solution

=== ASP.NET Core MVC

----
[HttpGet]
public string Get()
{
    Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe
    Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe
}
----

----
public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(builder =>
        {
            builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe
        });

        options.AddPolicy(name: "EnableAllPolicy", builder =>
        {
            builder.WithOrigins("https://trustedwebsite.com"); // Safe
        });
    });

    services.AddControllers();
}
----

=== ASP.Net MVC


----
public class HomeController : ApiController
{
    public HttpResponseMessage Get()
    {
        var response = HttpContext.Current.Response;

        response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");
        response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
        response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");
    }
}
----

----
[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]
public HttpResponseMessage Get() => new HttpResponseMessage()
{
    Content = new StringContent("content")
};
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`=== ASP.NET Core MVC`

			`----`
			`[HttpGet]`
			`public string Get()`
			`{`
			`Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive`
			`Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive`
			`}`
			`----`

			`----`
			`public void ConfigureServices(IServiceCollection services)`
			`{`
			`services.AddCors(options =>`
			`{`
			`options.AddDefaultPolicy(builder =>`
			`{`
			`builder.WithOrigins("*"); // Sensitive`
			`});`

			`options.AddPolicy(name: "EnableAllPolicy", builder =>`
			`{`
			`builder.WithOrigins("*"); // Sensitive`
			`});`

			`options.AddPolicy(name: "OtherPolicy", builder =>`
			`{`
			`builder.AllowAnyOrigin(); // Sensitive`
			`});`
			`});`

			`services.AddControllers();`
			`}`
			`----`

			`=== ASP.NET MVC`

			`----`
			`public class HomeController : ApiController`
			`{`
			`public HttpResponseMessage Get()`
			`{`
			`var response = HttpContext.Current.Response;`

			`response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive`
			`response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive`
			`response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive`
			`}`
			`}`
			`----`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`[EnableCors(origins: "", headers: "", methods: "GET")] // Sensitive`
			`public HttpResponseMessage Get() => new HttpResponseMessage()`
			`{`
			`Content = new StringContent("content")`
			`};`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

			`== Compliant Solution`

RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`=== ASP.NET Core MVC`

			`----`
			`[HttpGet]`
			`public string Get()`
			`{`
			`Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe`
			`Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe`
			`}`
Add coveredLanguages field 2021-01-29 15:53:23 +01:00			`----`

RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`
			`public void ConfigureServices(IServiceCollection services)`
			`{`
			`services.AddCors(options =>`
			`{`
			`options.AddDefaultPolicy(builder =>`
			`{`
			`builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe`
			`});`

			`options.AddPolicy(name: "EnableAllPolicy", builder =>`
			`{`
			`builder.WithOrigins("https://trustedwebsite.com"); // Safe`
			`});`
			`});`

			`services.AddControllers();`
			`}`
			`----`
Add coveredLanguages field 2021-01-29 15:53:23 +01:00
			`=== ASP.Net MVC`

Enable forced linebreaks in quotes; escape -- in url 2021-02-02 16:54:43 +01:00
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`
			`public class HomeController : ApiController`
			`{`
			`public HttpResponseMessage Get()`
			`{`
			`var response = HttpContext.Current.Response;`

			`response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com");`
			`response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");`
			`response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com");`
			`}`
			`}`
			`----`
Add coveredLanguages field 2021-01-29 15:53:23 +01:00
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`----`
Add coveredLanguages field 2021-01-29 15:53:23 +01:00			`[EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")]`
RULEAPI-564 fix quoted in-line code 2021-01-27 12:06:36 +01:00			`public HttpResponseMessage Get() => new HttpResponseMessage()`
			`{`
			`Content = new StringContent("content")`
			`};`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`