rspec/rules/S2083/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

----
using System;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC2083IOInjectionNoncompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        public IActionResult DeleteFile(string fileName)
        {
            System.IO.File.Delete(fileName); // Noncompliant

            return Content("File " + fileName + " deleted");
        }
    }
}
----

== Compliant Solution

----
using System;
using System.IO;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC2083IOInjectionCompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        public IActionResult DeleteFile(string fileName)
        {
            string destDirectory = "~/CustomersData/";

            string destFileName = Path.GetFullPath(System.IO.Path.Combine(destDirectory, fileName));
            string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);

            if (!destFileName.StartsWith(fullDestDirPath, StringComparison.Ordinal))
            {
                System.IO.File.Delete(destFileName); // Compliant
                return Content("File " + fileName + " deleted");
            } else
            {
                return BadRequest();
            }
        }

    }
}
----

include::../see.adoc[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`using System;`
			`using Microsoft.AspNetCore.Mvc;`

			`namespace WebApplicationDotNetCore.Controllers`
			`{`
			`public class RSPEC2083IOInjectionNoncompliantController : Controller`
			`{`
			`public IActionResult Index()`
			`{`
			`return View();`
			`}`

			`public IActionResult DeleteFile(string fileName)`
			`{`
			`System.IO.File.Delete(fileName); // Noncompliant`

			`return Content("File " + fileName + " deleted");`
			`}`
			`}`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`using System;`
			`using System.IO;`
			`using Microsoft.AspNetCore.Mvc;`

			`namespace WebApplicationDotNetCore.Controllers`
			`{`
			`public class RSPEC2083IOInjectionCompliantController : Controller`
			`{`
			`public IActionResult Index()`
			`{`
			`return View();`
			`}`

			`public IActionResult DeleteFile(string fileName)`
			`{`
			`string destDirectory = "~/CustomersData/";`

			`string destFileName = Path.GetFullPath(System.IO.Path.Combine(destDirectory, fileName));`
			`string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);`

			`if (!destFileName.StartsWith(fullDestDirPath, StringComparison.Ordinal))`
			`{`
			`System.IO.File.Delete(destFileName); // Compliant`
			`return Content("File " + fileName + " deleted");`
			`} else`
			`{`
			`return BadRequest();`
			`}`
			`}`

			`}`
			`}`
			`----`

			`include::../see.adoc[]`