rspec/rules/S5146/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

[source,csharp]
----
using Microsoft.AspNetCore.Mvc;

public class HomeController : Controller
{

    public IActionResult RedirectMe(string url)
    {
        return Redirect(url);
    }

    public IActionResult SetLocationHeader(string url)
    {
        Response.Headers["Location"] = url; // Noncompliant
        return StatusCode(302);
    }
}
----

== Compliant Solution

[source,csharp]
----
using Microsoft.AspNetCore.Mvc;

public class HomeController : Controller
{
    private readonly string[] whiteList = { "/", "/login", "/logout" };

    public IActionResult RedirectMe(string url)
    {
        // Match the incoming URL against a whitelist
        if (!whiteList.Contains(url))
        {
            return BadRequest();
        }

        return Redirect(url);
    }
}
----

== See

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://docs.microsoft.com/en-us/aspnet/core/security/preventing-open-redirects?view=aspnetcore-3.1[Microsoft Documentation ASP.NET Core] - Prevent Open Redirect Attacks in ASP.NET Core
* https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks[Microsoft Documentation ASP.NET MVC] - Preventing Open Redirection Attacks
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
* https://cwe.mitre.org/data/definitions/601[MITRE, CWE-601] - URL Redirection to Untrusted Site ('Open Redirect')
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]