All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.plugins.csharp.S6930.html Maven / Gradle / Ivy

There is a newer version: 10.2.0.105762
Show newest version

Backslash characters (\) should be avoided in route templates.

Why is this an issue?

Routing in ASP.NET MVC maps controllers and actions to paths in request URIs.

In the former syntax specification of URIs, backslash characters (\) were not allowed at all (see section "2.4.3. Excluded US-ASCII Characters" of RFC 2396). While the current specification (RFC 3986) doesn’t include anymore the "Excluded US-ASCII Characters" section, most URL processors still don’t support backslash properly.

For instance, a backslash in the "path" part of a URL is automatically converted to a forward slash (/) both by Chrome and Internet Explorer (see here).

As an example, \Calculator\Evaluate?expression=3\4 is converted on the fly into /Calculator/Evaluate?expression=3\4 before the HTTP request is made to the server.

While backslashes are allowed in the "query" part of a URL, and it’s common to have them as part of a complex query expression, the route of a controller is always part of the "path".

That is why the use of backslashes in controller templates should be avoided in general.

What is the potential impact?

A backslash in the route pattern of a controller would only make sense if the developer intended the backslash in the route to be explicitly escaped by the user, using %5C.

For example, the route Something\[controller] for the HomeController would need to be called as Something%5CHome.

The validity of such a scenario is unlikely and the resulting behavior is surprising.

How to fix it

Code examples

Noncompliant code example

[Route(@"Something\[controller]")] // Noncompliant: Replace '\' with '/'.
public class HomeController : Controller
{
    [HttpGet]
    public ActionResult Index() => View();
}

Compliant solution

[Route(@"Something/[controller]")] // '\' replaced with '/'
public class HomeController : Controller
{
    [HttpGet]
    public ActionResult Index() => View();
}

Noncompliant code example

app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}\\{action=Index}"); // Noncompliant: Replace '\' with '/'.

Compliant solution

app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}/{action=Index}"); // '\' replaced with '/'

Resources

Documentation

Articles & blog posts

Standards





© 2015 - 2024 Weber Informatics LLC | Privacy Policy