rspec/rules/S5334/csharp/how-to-fix-it/dotnet.adoc

== How to fix it in .NET

=== Code examples

The following code is vulnerable to arbitrary code execution because it compiles
and runs HTTP data.

==== Noncompliant code example

[source,csharp,diff-id=1,diff-type=noncompliant]
----
using System.CodeDom.Compiler;

public class ExampleController : Controller
{
    public void Run(string message)
    {
        const string code = @"
            using System;
            public class MyClass
            {
                public void MyMethod()
                {
                    Console.WriteLine(""" + message + @""");
                }
            }
        ";

        var provider = CodeDomProvider.CreateProvider("CSharp");
        var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
        var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code);
        object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
        myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[0]);
    }
}
----

==== Compliant solution

[source,csharp,diff-id=1,diff-type=compliant]
----
using System.CodeDom.Compiler;

public class ExampleController : Controller
{
    public void Run(string message)
    {
        const string code = @"
            using System;
            public class MyClass
            {
                public void MyMethod(string input)
                {
                    Console.WriteLine(input);
                }
            }
        ";

        var provider = CodeDomProvider.CreateProvider("CSharp");
        var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
        var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code);
        object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
        myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[]{ message }); // Pass message to dynamic method
    }
}
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

The compliant code example uses such an approach.

include::../../common/fix/allowlist.adoc[]