ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5146/csharp/rule.adoc
Alban Auzeill 0329b1564c Add rules 5000-5999
2020-06-30 17:16:12 +02:00

65 lines
1.8 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
== Noncompliant Code Example
----
using Microsoft.AspNetCore.Mvc;
namespace WebApplicationDotNetCore.Controllers
{
public class RSPEC5146OpenRedirectNoncompliantController : Controller
{
public IActionResult Index()
{
return View();
}
private readonly string[] whiteList = { "https://www.sonarsource.com" };
public IActionResult RedirectMe(string url)
{
return Redirect(url);
}
}
}
----
== Compliant Solution
----
using System.Linq;
using Microsoft.AspNetCore.Mvc;
namespace WebApplicationDotNetCore.Controllers
{
public class RSPEC5146OpenRedirectCompliantController : Controller
{
public IActionResult Index()
{
return View();
}
private readonly string[] whiteList = { "https://www.sonarsource.com" };
public IActionResult RedirectMe(string url)
{
// Match the incoming URL against a whitelist
if (!whiteList.Contains(url))
{
return BadRequest();
}
return Redirect(url);
}
}
}
----
== See
* https://docs.microsoft.com/en-us/aspnet/core/security/preventing-open-redirects?view=aspnetcore-3.1[Microsoft Documentation ASP.NET Core] - Prevent Open Redirect Attacks in ASP.NET Core
* https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks[Microsoft Documentation ASP.NET MVC] - Preventing Open Redirection Attacks
* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
* https://cwe.mitre.org/data/definitions/601.html[MITRE, CWE-601] - URL Redirection to Untrusted Site ('Open Redirect')
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management
Reference in New Issue View Git Blame Copy Permalink