== How to fix it in .NET

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
public class ExampleController : Controller
{
    public IActionResult Apply(string EffectName)
    {
        var EffectInstance  = Activator.CreateInstance(null, EffectName); // Noncompliant
        object EffectPlugin = EffectInstance.Unwrap();

        if ( ((IEffect)EffectPlugin).ApplyFilter() )
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}
----

==== Compliant solution

[source,csharp,diff-id=1,diff-type=compliant]
----
public class ExampleController : Controller
{
    private static readonly string[] EFFECT_ALLOW_LIST = { 
        "SepiaEffect",
        "BlackAndWhiteEffect",
        "WaterColorEffect",
        "OilPaintingEffect"
    };

    public IActionResult Apply(string EffectName)
    {
        if (!EFFECT_ALLOW_LIST.Contains(EffectName))
        {
            return BadRequest("Invalid effect name. The effect is not allowed.");
        }

        var EffectInstance  = Activator.CreateInstance(null, EffectName);
        object EffectPlugin = EffectInstance.Unwrap();

        if ( ((IEffect)EffectPlugin).ApplyFilter() )
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]