• Home
• org.sonarsource.dotnet
• sonar-csharp-plugin
• 9.29.0.95321
• source code
• S6930.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.plugins.csharp.S6930.html Maven / Gradle / Ivy

Backslash characters (\) should be avoided in route templates.
Why is this an issue?
Routing in ASP.NET MVC maps controllers and actions to paths in request URIs.
In the former syntax specification of URIs, backslash characters (\) were not allowed at all (see section "2.4.3. Excluded US-ASCII Characters" of RFC 2396). While the current
specification (RFC 3986) doesn’t include anymore the "Excluded US-ASCII Characters"
section, most URL processors still don’t support backslash properly.
For instance, a backslash in the "path" part of a URL is automatically converted to a forward slash (/) both by Chrome and Internet
Explorer (see here).
As an example, \Calculator\Evaluate?expression=3\4 is converted on the fly into /Calculator/Evaluate?expression=3\4
before the HTTP request is made to the server.
While backslashes are allowed in the "query" part of a URL, and it’s common to have them as part of a complex query expression, the route of a
controller is always part of the "path".
That is why the use of backslashes in controller templates should be avoided in general.
What is the potential impact?
A backslash in the route pattern of a controller would only make sense if the developer intended the backslash in the route to be explicitly
escaped by the user, using %5C.
For example, the route Something\[controller] for the HomeController would need to be called as
Something%5CHome.
The validity of such a scenario is unlikely and the resulting behavior is surprising.
How to fix it
Code examples
Noncompliant code example
[Route(@"Something\[controller]")] // Noncompliant: Replace '\' with '/'.
public class HomeController : Controller
{
    [HttpGet]
    public ActionResult Index() => View();
}

Compliant solution
[Route(@"Something/[controller]")] // '\' replaced with '/'
public class HomeController : Controller
{
    [HttpGet]
    public ActionResult Index() => View();
}

Noncompliant code example
app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace '\' with '/'.

Compliant solution
app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}/{action=Index}"); // '\' replaced with '/'

Resources
Documentation

  
 Microsoft Learn - Routing in ASP.NET Core 
  
 Microsoft Learn - Routing to controller actions in ASP.NET
  Core 
  
 Microsoft Learn - Handle requests with controllers in ASP.NET
  Core MVC 
  
 Wikipedia - Uniform Resource Identifier 
  
 Wikipedia - URL - Syntax 
  
 Wikipedia - Percent-encoding 

Articles & blog posts

  
 StackOverflow - Different behaviours of treating \ (backslash) in the url by FireFox and
  Chrome 

Standards

  
 IETF.org - RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax 
  
 IETF.org - RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax (OBSOLETE,
  replaced by RFC 3986)