81 lines
2.1 KiB
Plaintext
81 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
using System.IO;
|
|
using System.Net;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
namespace WebApplicationDotNetCore.Controllers
|
|
{
|
|
public class RSPEC5144SSRFNoncompliantController : Controller
|
|
{
|
|
public IActionResult Index()
|
|
{
|
|
return View();
|
|
}
|
|
|
|
public IActionResult ReadContentOfURL(string url)
|
|
{
|
|
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant
|
|
|
|
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
|
|
Stream dataStream = response.GetResponseStream();
|
|
StreamReader reader = new StreamReader(dataStream);
|
|
string responseFromServer = reader.ReadToEnd();
|
|
|
|
reader.Close();
|
|
dataStream.Close();
|
|
response.Close();
|
|
return Content(responseFromServer);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
using System.Linq;
|
|
using System.IO;
|
|
using System.Net;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
namespace WebApplicationDotNetCore.Controllers
|
|
{
|
|
public class RSPEC5144SSRFCompliantController : Controller
|
|
{
|
|
public IActionResult Index()
|
|
{
|
|
return View();
|
|
}
|
|
|
|
private readonly string[] whiteList = { "https://www.sonarsource.com" };
|
|
|
|
public IActionResult ReadContentOfURL(string url)
|
|
{
|
|
// Match the incoming URL against a whitelist
|
|
if (!whiteList.Contains(url))
|
|
{
|
|
return BadRequest();
|
|
}
|
|
|
|
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant
|
|
|
|
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
|
|
Stream dataStream = response.GetResponseStream();
|
|
StreamReader reader = new StreamReader(dataStream);
|
|
string responseFromServer = reader.ReadToEnd();
|
|
|
|
reader.Close();
|
|
dataStream.Close();
|
|
response.Close();
|
|
return Content(responseFromServer);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|