Modify rule S5146: Add fix for Blazor (APPSEC-1905) (#4128)

Co-authored-by: Thomas Serre <118730793+thomas-serre-sonarsource@users.noreply.github.com>
2024-09-02 14:56:08 +02:00 · 2024-09-02 14:56:08 +02:00 · 58f256f85c
commit 58f256f85c
parent 22b1c621ad
2 changed files with 52 additions and 0 deletions
--- a/rules/S5146/csharp/how-to-fix-it/blazor.adoc
+++ b/rules/S5146/csharp/how-to-fix-it/blazor.adoc
@ -0,0 +1,50 @@
+== How to fix it in Blazor
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=2,diff-type=noncompliant]
+----
+@page "/"
+@inject NavigationManager Navigation
+
+@code {
+    [SupplyParameterFromQuery]
+    private String url {get ; set; }
+
+    protected override void OnInitialized() {
+        Navigation.NavigateTo(url);
+    }
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=2,diff-type=compliant]
+----
+@page "/"
+@inject NavigationManager Navigation
+
+@code {
+    [SupplyParameterFromQuery]
+    private String url {get ; set; }
+
+    private readonly string[] allowedUrls = { "/", "/login", "/logout" };
+
+    protected override void OnInitialized() {
+        if (allowedUrls.Contains(url))
+        {
+          Navigation.NavigateTo(url);
+        }
+    }
+}
+----
+
+include::../../common/fix/how-does-this-work.adoc[]
+
+=== Pitfalls
+
+include::../../common/pitfalls/starts-with.adoc[]
--- a/rules/S5146/csharp/rule.adoc
+++ b/rules/S5146/csharp/rule.adoc
@ -8,6 +8,8 @@ include::../impact.adoc[]

 include::how-to-fix-it/dotnet.adoc[]

+include::how-to-fix-it/blazor.adoc[]
+
 == Resources

 include::../common/resources/standards.adoc[]