From f274fe88ff95a709eef2620f5733894128e695c7 Mon Sep 17 00:00:00 2001 From: alexandravaron Date: Mon, 15 Dec 2025 13:40:05 -0600 Subject: [PATCH 1/5] Update MyClass.cs --- comp-dotnet/project/MyClass.cs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/comp-dotnet/project/MyClass.cs b/comp-dotnet/project/MyClass.cs index 9a46bb2..498f2da 100644 --- a/comp-dotnet/project/MyClass.cs +++ b/comp-dotnet/project/MyClass.cs @@ -9,6 +9,11 @@ public string ReturnMessage() int await = 42; int async = 42; return "Happy coding!"; +filter = "{" + request.Key + ":'" + emailAddress + "'}"; +List Donor = Providers.Donor.GetDonorByIdOrEmailAddress(filter, memberId); + +string endpointCustomer = string.Format("v1.3/search?q={0}", filter); +var restContentCustomer = StoreAccess.GetRESTResponse(endpointCustomer, token); } } -} \ No newline at end of file +} From d3cc7cc5fd35a472c6e965704ea1284459e294bd Mon Sep 17 00:00:00 2001 From: alexandravaron Date: Mon, 15 Dec 2025 13:44:54 -0600 Subject: [PATCH 2/5] Update MyClass.cs --- comp-dotnet/project/MyClass.cs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/comp-dotnet/project/MyClass.cs b/comp-dotnet/project/MyClass.cs index 498f2da..eb88397 100644 --- a/comp-dotnet/project/MyClass.cs +++ b/comp-dotnet/project/MyClass.cs @@ -9,11 +9,6 @@ public string ReturnMessage() int await = 42; int async = 42; return "Happy coding!"; -filter = "{" + request.Key + ":'" + emailAddress + "'}"; -List Donor = Providers.Donor.GetDonorByIdOrEmailAddress(filter, memberId); - -string endpointCustomer = string.Format("v1.3/search?q={0}", filter); -var restContentCustomer = StoreAccess.GetRESTResponse(endpointCustomer, token); } } } From fc1aba64fd6b3cc47b42abc3670d6136d53f81fc Mon Sep 17 00:00:00 2001 From: alexandravaron Date: Mon, 15 Dec 2025 13:46:10 -0600 Subject: [PATCH 3/5] Create Test.cs --- comp-dotnet/project/Test.cs | 50 +++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 comp-dotnet/project/Test.cs diff --git a/comp-dotnet/project/Test.cs b/comp-dotnet/project/Test.cs new file mode 100644 index 0000000..f434117 --- /dev/null +++ b/comp-dotnet/project/Test.cs @@ -0,0 +1,50 @@ +// Program.cs +using System; +using System.Net.Http; +using System.Threading.Tasks; + +namespace DonorSearchExample +{ + class Program + { + // Simulate untrusted input coming from the "request" + // Usage: dotnet run emailField "test@example.com" + static async Task Main(string[] args) + { + if (args.Length < 2) + { + Console.WriteLine("Usage: dotnet run "); + return; + } + + string requestKey = args[0]; // untrusted + string emailAddress = args[1]; // untrusted + + // ----- Mirrors your DonorAPI.cs ----- + string filter = "{" + requestKey + ":'" + emailAddress + "'}"; + Console.WriteLine("Filter: " + filter); + + // ----- Mirrors your DonorProvider.cs ----- + string endpointCustomer = string.Format( + "https://api.example.com/v1.3/search?q={0}", + filter); // tainted data inserted into query parameter + + Console.WriteLine("Calling: " + endpointCustomer); + + using var client = new HttpClient(); + try + { + // This call should be considered the "sink" for tainted data + HttpResponseMessage response = + await client.GetAsync(endpointCustomer); + + string body = await response.Content.ReadAsStringAsync(); + Console.WriteLine("Response received (length): " + body.Length); + } + catch (Exception ex) + { + Console.WriteLine("Error during request: " + ex.Message); + } + } + } +} From de8490f0d8e6ed0af71edc117665a618e36b5d11 Mon Sep 17 00:00:00 2001 From: alexandravaron Date: Mon, 15 Dec 2025 13:51:47 -0600 Subject: [PATCH 4/5] Update Test.cs --- comp-dotnet/project/Test.cs | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/comp-dotnet/project/Test.cs b/comp-dotnet/project/Test.cs index f434117..2bda077 100644 --- a/comp-dotnet/project/Test.cs +++ b/comp-dotnet/project/Test.cs @@ -7,9 +7,13 @@ namespace DonorSearchExample { class Program { - // Simulate untrusted input coming from the "request" - // Usage: dotnet run emailField "test@example.com" - static async Task Main(string[] args) + // Entry point compatible with older language versions + static void Main(string[] args) + { + RunAsync(args).GetAwaiter().GetResult(); + } + + static async Task RunAsync(string[] args) { if (args.Length < 2) { @@ -31,19 +35,22 @@ static async Task Main(string[] args) Console.WriteLine("Calling: " + endpointCustomer); - using var client = new HttpClient(); - try + // Classic using-statement instead of C# 8 "using var" + using (var client = new HttpClient()) { - // This call should be considered the "sink" for tainted data - HttpResponseMessage response = - await client.GetAsync(endpointCustomer); + try + { + // This call should be considered the "sink" for tainted data + HttpResponseMessage response = + await client.GetAsync(endpointCustomer); - string body = await response.Content.ReadAsStringAsync(); - Console.WriteLine("Response received (length): " + body.Length); - } - catch (Exception ex) - { - Console.WriteLine("Error during request: " + ex.Message); + string body = await response.Content.ReadAsStringAsync(); + Console.WriteLine("Response received (length): " + body.Length); + } + catch (Exception ex) + { + Console.WriteLine("Error during request: " + ex.Message); + } } } } From 1d55c30c07cd8f39e3cf183f6de22d2ed37a59f8 Mon Sep 17 00:00:00 2001 From: alexandravaron Date: Mon, 15 Dec 2025 13:54:08 -0600 Subject: [PATCH 5/5] Update Test.cs --- comp-dotnet/project/Test.cs | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/comp-dotnet/project/Test.cs b/comp-dotnet/project/Test.cs index 2bda077..c10c648 100644 --- a/comp-dotnet/project/Test.cs +++ b/comp-dotnet/project/Test.cs @@ -1,29 +1,15 @@ -// Program.cs +// Test.cs using System; using System.Net.Http; -using System.Threading.Tasks; namespace DonorSearchExample { - class Program + // This class mirrors your DonorAPI/DonorProvider pattern + public class DonorSearch { - // Entry point compatible with older language versions - static void Main(string[] args) + // This method is what Sonar should flag + public void VulnerableSearch(string requestKey, string emailAddress) { - RunAsync(args).GetAwaiter().GetResult(); - } - - static async Task RunAsync(string[] args) - { - if (args.Length < 2) - { - Console.WriteLine("Usage: dotnet run "); - return; - } - - string requestKey = args[0]; // untrusted - string emailAddress = args[1]; // untrusted - // ----- Mirrors your DonorAPI.cs ----- string filter = "{" + requestKey + ":'" + emailAddress + "'}"; Console.WriteLine("Filter: " + filter); @@ -35,16 +21,16 @@ static async Task RunAsync(string[] args) Console.WriteLine("Calling: " + endpointCustomer); - // Classic using-statement instead of C# 8 "using var" + // Classic using-statement, compatible with C# 7.3 using (var client = new HttpClient()) { try { - // This call should be considered the "sink" for tainted data + // This call is the "sink" for the tainted data HttpResponseMessage response = - await client.GetAsync(endpointCustomer); + client.GetAsync(endpointCustomer).Result; - string body = await response.Content.ReadAsStringAsync(); + string body = response.Content.ReadAsStringAsync().Result; Console.WriteLine("Response received (length): " + body.Length); } catch (Exception ex)