rspec/rules/S5144/csharp/how-to-fix-it/dotnet.adoc

== How to fix it in ASP.NET

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
using System.Web;
using System.Web.Mvc;

public class ExampleController: Controller
{
    [HttpGet]
    public IActionResult ImageFetch(string location)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(location);

        return Ok();
    }
}
----

==== Compliant solution

[source,csharp,diff-id=1,diff-type=compliant]
----
using System.Web;
using System.Web.Mvc;

public class ExampleController: Controller
{
    private readonly string[] allowedSchemes = { "https" };
    private readonly string[] allowedDomains = { "trusted1.example.com", "trusted2.example.com" };

    [HttpGet]
    public IActionResult ImageFetch(string location)
    {
        Uri uri = new Uri(location);

        if (!allowedDomains.Contains(uri.Host) && !allowedSchemes.Contains(uri.Scheme))
        {
            return BadRequest();
        }

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);

        return Ok();
    }
}
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]