-
What language is this for?
- Typescript
-
Which rule?
- ?
-
Why do you believe it’s a false-positive/false-negative?
- We identified it as vulnerability but SonarQube doesn’t report it
-
Are you using
- SonarQube Server / Community Build - which version?
- Enterprise Edition v2025.5 (113872)
- SonarQube Server / Community Build - which version?
-
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
- Unfortunately I am unable to provide the exact code sample from our customer project due to NDA, and I lack time to build a minimum example. However, i still think you might be interested in False Negatives here and quickly put this together yourself:
Basically there is a NodeJS Application with the well known ExpressJS as webserver. One route allows providing the filename (without extension) as one parameter and a list of paths where to look for files as another parameter (yea, bad idea, no idea how someone came up with that). The server then put these together, appends the JSON file extension and parses it as JSON, merges the JSON arrays and returns it as JSON. This way any JSON file on the server can be read, including config files with secrets.
Some snippets parts I can provide which I think are sufficient to reproduce:
private setupApiRouting(expressServer: express.Express): void {
const router = express.Router();
this.mountFeatureX(router);
expressServer.use(this._apiRoute, router);
}
private mountFeatureX(router: express.Router): void {
router.get('/X', async (req, res) => {
try {
const x = await XReader.read(req.query.filename as string, req.query.paths as string); // Reading filename and paths from query parameter
res.json(x); // returning file contents
} catch (error) {
res.status(404).send('Failure when getting the X files');
}
});
}
// ---
import * as fse from 'fs-extra';
import * as path from 'path';
export class XReader {
public static async read(filename: string, paths: string): Promise<{ [key: string]: Object }[]> {
const pathsArray = paths ? paths.split(',') : [];
const allX: { [key: string]: Object }[] = [];
for (const path of pathsArray) {
allX.push(path ? await this.getX(path, filename, logger) : {});
}
return Promise.resolve(allX);
}
private static async getX(pathName: string, filename: string): Promise<{}> {
const relatedPath = path.join(pathName, language + '.json'); // building final path with file and extension
let x: { [key: string]: Object } = {};
try {
x = await fse.readJSON(relatedPath); // reading json file from user provided path
} catch (error) {
//logging
}
return x;
}
}
I hope that works for you.