Avoid potential server side request forgeries (SSRFs)

This product is not supported for your selected Datadog site. ().

Metadata

ID: csharp-security/avoid-potential-ssrf

Language: C#

Severity: Error

Category: Security

CWE: 918

Description

No description found

Non-Compliant Code Examples

using System.Net.Http;
using Microsoft.AspNetCore.Mvc;

public class DocumentController : Controller
{
    private readonly HttpClient _httpClient;
    
    public DocumentController(HttpClient httpClient)
    {
        _httpClient = httpClient;
    }
    
    [HttpPost]
    public async Task<IActionResult> FetchDocument(string documentUrl)
    {
        var response = await _httpClient.GetAsync(documentUrl); // Noncompliant
        var content = await response.Content.ReadAsStringAsync();
        return Content(content);
    }
}

Compliant Code Examples

public class DocumentController : Controller
{
    private readonly HttpClient _httpClient;
    private readonly HashSet<string> _allowedHosts = new() 
    { 
        "api.company.com", 
        "documents.trusted.org" 
    };
    
    public DocumentController(HttpClient httpClient)
    {
        _httpClient = httpClient;
    }
    
    [HttpPost]
    public async Task<IActionResult> FetchDocument(string documentUrl)
    {
        if (!Uri.TryCreate(documentUrl, UriKind.Absolute, out Uri uri))
        {
            return BadRequest("Invalid URL format");
        }
        
        if (uri.Scheme != "https" || !_allowedHosts.Contains(uri.Host))
        {
            return BadRequest("URL not allowed");
        }
        
        var response = await _httpClient.GetAsync(documentUrl);
        var content = await response.Content.ReadAsStringAsync();
        return Content(content);
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security