ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5144/csharp/rule.adoc

81 lines
2.1 KiB
Plaintext
Raw Normal View History

Add rules 5000-5999
2020-06-30 12:50:28 +02:00
include::../description.adoc[]
== Noncompliant Code Example
----
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;
namespace WebApplicationDotNetCore.Controllers
{
public class RSPEC5144SSRFNoncompliantController : Controller
{
public IActionResult Index()
{
return View();
}
public IActionResult ReadContentOfURL(string url)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
string responseFromServer = reader.ReadToEnd();
reader.Close();
dataStream.Close();
response.Close();
return Content(responseFromServer);
}
}
}
----
== Compliant Solution
----
using System.Linq;
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;
namespace WebApplicationDotNetCore.Controllers
{
public class RSPEC5144SSRFCompliantController : Controller
{
public IActionResult Index()
{
return View();
}
private readonly string[] whiteList = { "https://www.sonarsource.com" };
public IActionResult ReadContentOfURL(string url)
{
// Match the incoming URL against a whitelist
if (!whiteList.Contains(url))
{
return BadRequest();
}
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
string responseFromServer = reader.ReadToEnd();
reader.Close();
dataStream.Close();
response.Close();
return Content(responseFromServer);
}
}
}
----
include::../see.adoc[]
Reference in New Issue Copy Permalink