Injection remediation in ASP.NET Core [Mar 2026] [CVE-2017-0249]

using Microsoft.AspNetCore.Mvc;\nusing Microsoft.AspNetCore.Authorization;\nusing System.Security.Claims;\n\nnamespace Demo.VulnFix\n{\n    // Vulnerable: client-controlled role to escalate privileges\n    [ApiController]\n    [Route("/vuln")]\n    public class VulController : ControllerBase\n    {\n        [HttpGet("data")]\n        public IActionResult GetDataVul()\n        {\n            var requestedRole = HttpContext.Request.Query[\"role\"].ToString();\n            var identity = new ClaimsIdentity(\"Vulnerable\");\n            if (requestedRole == \"admin\")\n            {\n                identity.AddClaim(new Claim(ClaimTypes.Role, \"Admin\"));\n            }\n            HttpContext.User = new ClaimsPrincipal(identity);\n            if (HttpContext.User.IsInRole(\"Admin\"))\n            {\n                return Ok(\"Sensitive data\");\n            }\n            return Forbid();\n        }\n    }\n\n    // Fixed: rely on server-side authentication; do not trust client input\n    [Authorize(Roles = \"Admin\")]\n    [ApiController]\n    [Route("/sec")]\n    public class SecController : ControllerBase\n    {\n        [HttpGet("data")]\n        public IActionResult GetDataSec()\n        {\n            return Ok(\"Sensitive data for Admin\");\n        }\n    }\n}