False positive for private methods accessed publicly via __call defined inside Traits

Andumy · September 27, 2023, 10:36am

Hello,
I’m opening a new issue ticket as a continuation of False positive for private methods accessed publicly via __call
After updating to SonarQube 10.2 the false positives are still generated.

You can see below the full non-simplified case that is triggering the issue. For context, this is inside a Laravel 10 application.

ContractController

class ContractController extends Controller
{
    use ModuleProtected;

    #[Module(ModuleIdentifiers::LEGAL, ModuleEntrypointTypes::ENDPOINT)]
    private function show( //this method is marked as unused private method
        Contract $contract
    ): JsonResponse {
        return new JsonDataResponse(ContractData::from($contract), Response::HTTP_OK);
    }
}

ModuleProtected

trait ModuleProtected
{
    public function __call($method, $arguments)
    {
        if (method_exists($this, $method)) {
            $proxy = new ReflectionMethod(self::class, $method);
            $attributes = $proxy->getAttributes(Module::class);

            /** @var ModuleGuard $moduleGuard */
            $moduleGuard = App::make(ModuleGuard::class);

            foreach ($attributes as $attribute) {
                if ($attribute->getName() === Module::class) {
                    /** @var ModuleIdentifiers|ModuleIdentifiers[] $modules */
                    $modules = $attribute->getArguments()[0];

                    /** @var ModuleEntrypointTypes $entryPointType */
                    $entryPointType = $attribute->getArguments()[1];

                    if (! $moduleGuard->authenticate($modules)) {
                        return match ($entryPointType) {
                            ModuleEntrypointTypes::ENDPOINT => new JsonMessageResponse(
                                GeneralResponseCodes::getCode(GeneralResponseCodes::ACCESS_FORBIDDEN),
                                Response::HTTP_FORBIDDEN
                            ),
                            ModuleEntrypointTypes::COMMAND => 0,
                            ModuleEntrypointTypes::EVENT_LISTENER => null,
                        };
                    }
                }
            }

            return call_user_func_array([$this, $method], $arguments);
        }
        trigger_error('Call to undefined method '.__CLASS__.'::'.$method.'()', E_USER_ERROR);
    }
}

api.php

Route::prefix('contract')->group(function () {
        Route::get('{contract}', [ContractController::class, 'show'])->name('contract.show');
 });

The idea is that when the route contract/{contract} is accessed because the show method is private, the __call that is defined inside the ModuleProtected trait is called instead. Inside that, it is checked if the user that initiated the request has access to the ModuleIdentifiers::LEGAL module and if not returns an appropriate response based on the ModuleEntrypointTypes. Otherwise, just call the private method. (The access logic inside the __call method is irrelevant for the sonarqube false flagging issue, but I’ve explained it for better context).

I think that the issue is that Sonarqube is not checking the __call methods defined inside traits.

Thank you,
Andrei

jonas.wielage · October 2, 2023, 8:33am

Hello @Andumy ,

thanks for raising this issue with us.

Indeed, when solving the previous ticket, traits were not correctly taken into account. This results in your code snippet raising a false positive issue.
I created this ticket, which will address the false positive in the next development iteration of the PHP analyzer.

Best,
Jonas