rspec/rules/S5144/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

[source,csharp]
----
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC5144SSRFNoncompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        public IActionResult ReadContentOfURL(string url)
        {
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant

            HttpWebResponse response  = (HttpWebResponse)request.GetResponse();
            Stream dataStream         = response.GetResponseStream();
            StreamReader reader       = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();

            reader.Close();
            dataStream.Close();
            response.Close();
            return Content(responseFromServer);
        }
    }
}
----

== Compliant Solution

[source,csharp]
----
using System.Linq;
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC5144SSRFCompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        private readonly string[] whiteList = { "www.example.com", "example.com" };

        public IActionResult ReadContentOfURL(string url)
        {
            // Extract the hostname from the URL
            URI remoteUrl     = new Uri(url);
            string remoteHost = remoteUrl.Host;

            // Match the incoming URL against a whitelist
            if (!whiteList.Contains(remoteHost))
            {
                return BadRequest();
            }

            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);

            HttpWebResponse response  = (HttpWebResponse)request.GetResponse();
            Stream dataStream         = response.GetResponseStream();
            StreamReader reader       = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();

            reader.Close();
            dataStream.Close();
            response.Close();
            return Content(responseFromServer);
        }
    }
}
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`using System.IO;`
			`using System.Net;`
			`using Microsoft.AspNetCore.Mvc;`

			`namespace WebApplicationDotNetCore.Controllers`
			`{`
			`public class RSPEC5144SSRFNoncompliantController : Controller`
			`{`
			`public IActionResult Index()`
			`{`
			`return View();`
			`}`

			`public IActionResult ReadContentOfURL(string url)`
			`{`
			`HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant`

Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`HttpWebResponse response = (HttpWebResponse)request.GetResponse();`
			`Stream dataStream = response.GetResponseStream();`
			`StreamReader reader = new StreamReader(dataStream);`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`string responseFromServer = reader.ReadToEnd();`

			`reader.Close();`
			`dataStream.Close();`
			`response.Close();`
			`return Content(responseFromServer);`
			`}`
			`}`
			`}`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`using System.Linq;`
			`using System.IO;`
			`using System.Net;`
			`using Microsoft.AspNetCore.Mvc;`

			`namespace WebApplicationDotNetCore.Controllers`
			`{`
			`public class RSPEC5144SSRFCompliantController : Controller`
			`{`
			`public IActionResult Index()`
			`{`
			`return View();`
			`}`

Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`private readonly string[] whiteList = { "www.example.com", "example.com" };`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`public IActionResult ReadContentOfURL(string url)`
			`{`
Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`// Extract the hostname from the URL`
			`URI remoteUrl = new Uri(url);`
			`string remoteHost = remoteUrl.Host;`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`// Match the incoming URL against a whitelist`
Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`if (!whiteList.Contains(remoteHost))`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`{`
			`return BadRequest();`
			`}`

Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
Modify S5144: Improved code samples (#719) 2022-01-17 17:57:50 +01:00			`HttpWebResponse response = (HttpWebResponse)request.GetResponse();`
			`Stream dataStream = response.GetResponseStream();`
			`StreamReader reader = new StreamReader(dataStream);`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`string responseFromServer = reader.ReadToEnd();`

			`reader.Close();`
			`dataStream.Close();`
			`response.Close();`
			`return Content(responseFromServer);`
			`}`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`