rspec/rules/S5144/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

[source,csharp]
----
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC5144SSRFNoncompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        public IActionResult ReadContentOfURL(string url)
        {
            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant

            HttpWebResponse response  = (HttpWebResponse)request.GetResponse();
            Stream dataStream         = response.GetResponseStream();
            StreamReader reader       = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();

            reader.Close();
            dataStream.Close();
            response.Close();
            return Content(responseFromServer);
        }
    }
}
----

== Compliant Solution

[source,csharp]
----
using System.Linq;
using System.IO;
using System.Net;
using Microsoft.AspNetCore.Mvc;

namespace WebApplicationDotNetCore.Controllers
{
    public class RSPEC5144SSRFCompliantController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        private readonly string[] whiteList = { "www.example.com", "example.com" };

        public IActionResult ReadContentOfURL(string url)
        {
            // Extract the hostname from the URL
            URI remoteUrl     = new Uri(url);
            string remoteHost = remoteUrl.Host;

            // Match the incoming URL against a whitelist
            if (!whiteList.Contains(remoteHost))
            {
                return BadRequest();
            }

            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);

            HttpWebResponse response  = (HttpWebResponse)request.GetResponse();
            Stream dataStream         = response.GetResponseStream();
            StreamReader reader       = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();

            reader.Close();
            dataStream.Close();
            response.Close();
            return Content(responseFromServer);
        }
    }
}
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]