On java 11 with sonarQube * Enterprise Edition * Version 8.9.6 (build 50800)
I got a trouble with the rule Change this code to not log user-controlled data wich mean I have to sanitize the code to avoid \n\r\t injection.
In my controller I receive a POJO DocumentDto. In my mapper I change it to an entity element Document. During the maping I made two manipulation :
- If a property got a string value with juste a space or noting I change it to null
- If the string is fill I replace \n\r\t by underscore
After that I display in my log the value of the object.
Sonar still think the data are tainted. He show me this :
@PostMapping("/Document")
public ResponseEntity<DocumentDto> addDocument(@Valid @RequestBody
1 DocumentDto documentDto) {
var document = DocumentMapper.mapperDocumentDtoToDocument(documentDto);
the point 1 say → data tainted and I’m ok with that
then in my mapper :
public static DocumentContrat mapperDocumentContratDtoToDocumentContrat(DocumentContratDto input) {
3 var output = 2 new DocumentContrat();
output.setCdApplicatif(getStringValueOrNullFromString(input.getCdApplicatif()));
output.setCdUnifie(getStringValueOrNullFromString(input.getCdUnifie()));
the 2 and 3 point say → data tainted propagation, I’m NOT ok with that, the object is new, the data are empty
then in the controller for him the data are still tainted:
5 var document = 4 DocumentMapper.mapperDocumentDtoToDocument(documentDto);
// some tests about data validity, you can see them in the complete code below
6 LOGGER.info("add documentContrat :\n{}", documentContrat);
the 4 and 5 point say → data tainted propagation
the 6 say Change this code to not log user-controlled data
For me he should’nt consider that
var output = new DocumentContrat()
propagate the tainted value. It’s a new Object !
He could say that filling value could propagate the tainted value :
output.setCdApplicatif(getStringValueOrNullFromString(input.getCdApplicatif()));
but if he analize this line he’ll find that getStringValueOrNullFromString sanitize the data.
public static String getStringValueOrNullFromString(String input) {
return (input==null || input.isEmpty())? null:input.replaceAll("[\n\r\t]", "_");
}
>
So for me it’s a false positive.
Here the complete code :
public ResponseEntity<DocumentDto> addDocument(@Valid @RequestBody DocumentDto documentDto) {
var document = DocumentMapper.mapperDocumentDtoToDocument(documentDto);
if (document.getDocumentId() != null) {
return new ResponseEntity<>(HttpStatus.FORBIDDEN);
}
var documentDuplicates = new DocumentContrat();
documentDuplicates.setCdUnifie(document.getCdUnifie());
boolean hasNoDuplicates = this.documentContratService.searchDocument(documentDuplicates).isEmpty();
if (!hasNoDuplicates) {
return new ResponseEntity<>(HttpStatus.CONFLICT);
}
LOGGER.info("add document :\n{}", document);
var documentUpdated = this.documentService.addDocument(document);
updateTableDetails();
return new ResponseEntity<>(DocumentMapper.mapperDocumentToDocumentDto(documentUpdated), HttpStatus.OK);
}
public static Document mapperDocumentDtoToDocument(DocumentDto input) {
var output = new Document();
output.setCdApplicatif(getStringValueOrNullFromString(input.getCdApplicatif()));
output.setCdUnifie(getStringValueOrNullFromString(input.getCdUnifie()));
output.setDocumentContratId(input.getDocumentContratId());
output.setLbCode(getStringValueOrNullFromString(input.getLbCode()));
return output;
}
public static String getStringValueOrNullFromString(String input) {
return (input==null || input.isEmpty())? null:input.replaceAll("[\n\r\t]", "_");
}