org.sonar.plugins.csharp.S6930.html Maven / Gradle / Ivy
Backslash characters (\
) should be avoided in route templates.
Why is this an issue?
Routing in ASP.NET MVC maps controllers and actions to paths in request URIs.
In the former syntax specification of URIs, backslash characters (\
) were not allowed at all (see section "2.4.3. Excluded US-ASCII Characters" of RFC 2396). While the current
specification (RFC 3986) doesn’t include anymore the "Excluded US-ASCII Characters"
section, most URL processors still don’t support backslash properly.
For instance, a backslash in the "path" part of a URL is automatically converted to a forward slash (/
) both by Chrome and Internet
Explorer (see here).
As an example, \Calculator\Evaluate?expression=3\4
is converted on the fly into /Calculator/Evaluate?expression=3\4
before the HTTP request is made to the server.
While backslashes are allowed in the "query" part of a URL, and it’s common to have them as part of a complex query expression, the route of a
controller is always part of the "path".
That is why the use of backslashes in controller templates should be avoided in general.
What is the potential impact?
A backslash in the route pattern of a controller would only make sense if the developer intended the backslash in the route to be explicitly
escaped by the user, using %5C
.
For example, the route Something\[controller]
for the HomeController
would need to be called as
Something%5CHome
.
The validity of such a scenario is unlikely and the resulting behavior is surprising.
How to fix it
Code examples
Noncompliant code example
[Route(@"Something\[controller]")] // Noncompliant: Replace '\' with '/'.
public class HomeController : Controller
{
[HttpGet]
public ActionResult Index() => View();
}
Compliant solution
[Route(@"Something/[controller]")] // '\' replaced with '/'
public class HomeController : Controller
{
[HttpGet]
public ActionResult Index() => View();
}
Noncompliant code example
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace '\' with '/'.
Compliant solution
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}"); // '\' replaced with '/'
Resources
Documentation
- Microsoft Learn - Routing in ASP.NET Core
- Microsoft Learn - Routing to controller actions in ASP.NET
Core
- Microsoft Learn - Handle requests with controllers in ASP.NET
Core MVC
- Wikipedia - Uniform Resource Identifier
- Wikipedia - URL - Syntax
- Wikipedia - Percent-encoding
Articles & blog posts
Standards