48 lines
1.1 KiB
Plaintext
48 lines
1.1 KiB
Plaintext
== Why is this an issue?
|
|
|
|
String representations of URIs or URLs are prone to parsing and encoding errors which can lead to vulnerabilities. The ``++System.Uri++`` class is a safe alternative and should be preferred. At minimum, an overload of the method taking a ``++System.Uri++`` as a parameter should be provided in each class that contains a method with an apparent Uri passed as a ``++string++``.
|
|
|
|
|
|
This rule raises issues when a method has a string parameter with a name containing "uri", "Uri", "urn", "Urn", "url" or "Url", and the type doesn't declare a corresponding overload taking an ``++System.Uri++`` parameter instead.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,text]
|
|
----
|
|
using System;
|
|
|
|
namespace MyLibrary
|
|
{
|
|
public class MyClass
|
|
{
|
|
|
|
public void FetchResource(string uriString) { } // Noncompliant
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,text]
|
|
----
|
|
using System;
|
|
|
|
namespace MyLibrary
|
|
{
|
|
public class MyClass
|
|
{
|
|
|
|
public void FetchResource(string uriString)
|
|
{
|
|
FetchResource(new Uri(uriString));
|
|
}
|
|
|
|
public void FetchResource(Uri uri) { }
|
|
}
|
|
}
|
|
----
|
|
|
|
|