include::../description.adoc[] == Noncompliant Code Example [source,csharp] ---- using System.IO; using System.Net; using Microsoft.AspNetCore.Mvc; namespace WebApplicationDotNetCore.Controllers { public class RSPEC5144SSRFNoncompliantController : Controller { public IActionResult Index() { return View(); } public IActionResult ReadContentOfURL(string url) { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant HttpWebResponse response = (HttpWebResponse)request.GetResponse(); Stream dataStream = response.GetResponseStream(); StreamReader reader = new StreamReader(dataStream); string responseFromServer = reader.ReadToEnd(); reader.Close(); dataStream.Close(); response.Close(); return Content(responseFromServer); } } } ---- == Compliant Solution [source,csharp] ---- using System.Linq; using System.IO; using System.Net; using Microsoft.AspNetCore.Mvc; namespace WebApplicationDotNetCore.Controllers { public class RSPEC5144SSRFCompliantController : Controller { public IActionResult Index() { return View(); } private readonly string[] whiteList = { "www.example.com", "example.com" }; public IActionResult ReadContentOfURL(string url) { // Extract the hostname from the URL URI remoteUrl = new Uri(url); string remoteHost = remoteUrl.Host; // Match the incoming URL against a whitelist if (!whiteList.Contains(remoteHost)) { return BadRequest(); } HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); HttpWebResponse response = (HttpWebResponse)request.GetResponse(); Stream dataStream = response.GetResponseStream(); StreamReader reader = new StreamReader(dataStream); string responseFromServer = reader.ReadToEnd(); reader.Close(); dataStream.Close(); response.Close(); return Content(responseFromServer); } } } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] endif::env-github,rspecator-view[]