rspec/rules/S5144/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  URL url = new URL(req.getParameter("url"));
  HttpURLConnection conn = (HttpURLConnection) url.openConnection(); // Noncompliant
}
----

== Compliant Solution

----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String urlWhiteListed = "https://example.com/";
  String str = req.getParameter("url");
  if (!str.startsWith(urlWhiteListed))
    throw new IOException();

  URL url2 = new URL(str);
  HttpURLConnection conn2 = (HttpURLConnection) url2.openConnection(); // compliant
}
----

include::../see.adoc[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`URL url = new URL(req.getParameter("url"));`
			`HttpURLConnection conn = (HttpURLConnection) url.openConnection(); // Noncompliant`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String urlWhiteListed = "https://example.com/";`
			`String str = req.getParameter("url");`
			`if (!str.startsWith(urlWhiteListed))`
			`throw new IOException();`

			`URL url2 = new URL(str);`
			`HttpURLConnection conn2 = (HttpURLConnection) url2.openConnection(); // compliant`
			`}`
			`----`

			`include::../see.adoc[]`