Sonar ResearchCan you spot the vulnerability? #codeadvent2022 #csharp #appsec
Something was forgotten in this API handler, but what?
https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/?day=3
The URL https://api.github.com does not end with a "/". An attacker can thus send the request to any server!
The regular expression is a decoy, no match is also a match, thanks to the greedy quantifier.
Check out the detailed solution here:
https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/?day=3&solution