Other tools have highlighted multiple XSS vulnerabilities where the code is specifically pushing out unsanitized user provided data in a javascript frontend and a java api. Is there a setting we need to enable to get XSS scanning through sonarcloud or does sonarcloud offer some kind of plugin to catch these types of issues?
Hey there.
Such rules should be enabled by default.
Do you have some example code where you think an issue should be raised where it isn’t? The more complete the reproducer, the more accurately we can tell you why an issue isn’t being raised by SonarCloud.
Hi Colin, Attached is a code sample where the competitor find it as an issue, but not on the SonarCloud system. Hope it can help us to understand why SonarCloud couldn’t point it as an issue, or might be a setting we should enable before scanning.
/proxyapi/ProxyServiceCaller.java:36
public ResponseEntity<String> exchangeHttpCall(final String url, final HttpMethod method, final HttpEntity<?> entity,
final RestTemplate restTemplate, final Object[] pathParams) {
try {
return restTemplate.exchange(url, method, entity, String.class, pathParams);
} catch (final Exception exception) {
log.warn("Exception has been thrown during exchange method invocation", exception);
throw exception;
proxyapi/ProxyService.java:221/227
log.warn("prepareAndExchangeHttpCall: fixme: {}", ex.getMessage());
}
try {
final var responseEntity = proxyServiceCaller.exchangeHttpCall(absUrl, method, entity, restTemplate, pathParams);
var responseStatusCode = responseEntity.getStatusCode();
if (!responseStatusCode.is2xxSuccessful()) {
log.warn("prepareAndExchangeHttpCall: error: status={}, {} url={}, params={}", responseStatusCode, method, absUrl,
}
final var responseHeaders = prepareResponseHeaders(responseEntity.getHeaders());
return new ResponseEntity<>(responseEntity.getBody(), responseHeaders, responseStatusCode);
} catch (RuntimeException ex) {
log.warn("prepareAndExchangeHttpCall: failed: {} url={}, params={}", method, absUrl, params, ex);
throw ex;
/proxyapi/ProxyService.java:123
public ResponseEntity<String> exchangePut(final String url, final String body, final HttpHeaders clientHeaders,
final BluebirdService service, final Object... pathParams) {
return prepareAndExchangeHttpCall(HttpMethod.PUT, url, body, clientHeaders, service, Optional.empty(), pathParams);
}
public ResponseEntity<String> exchangePutWithTimeout(final String url, final String body, final HttpHeaders clientHeaders, final BluebirdService service,
...bluebird/proxyapi/player/limits/internal/InternalDepositLimitInstanceProxyController.java:45
final var requestBody = new detWrapper(player.getdet().getdetails());
headers.setContentType(MediaType.APPLICATION_JSON);
return proxyService.exchangePut(url, objectMapper.writeValueAsString(requestBody), headers, BluebirdService.RGT, playerId, player.getJurisdictionId());
Cross-site scripting vulnerability due to a user-provided value.
Hi,
Thank you very much for your feedback.
Which line triggers an XSS vulnerability? The one calling exchangePut? As the code is partial, it is difficult to see exactly which data is provided by the user and which one is not. I assume that body and clientHeaders are provided by the user. But they are not used in the code that follows. Instead, a requestBody is constructed with the help of an unknown class (detWrapper) and a variable player whose construction does not appear in the code. From what I can see, this does not use data provided by the user. This is similar for headers: the code does not show how it is constructed.
The methods exchangePut calls prepareAndExchangeHttpCall. This later makes an HTTP request with RestTemplate.exchange. It looks like none of the data used for this request is from the user but maybe it is in the code that is not shown.
From the code, I do not see any data provided by the user used to construct the response. Can you maybe provide more context to better answer your question? Maybe, the player instance is constructed with data from the user?
Best regards,
Sebastien