False positive roslyn.sonaranalyzer.security.cs:S2076

sergioet · September 8, 2022, 12:42pm

hi,

I am using Enterprise Edition Version 9.5 (build 56709)
I have the following code:

      public static void Launch(string url)
        {
            try
            {
                Process.Start(url); // url is never user data
            }
            catch (Win32Exception e)
            {
					//error managing
            }
            catch (Exception e)
            {
                // error mananging
            }
        }

I get the following vulnerability:
# Change this code to not construct the OS command from user-controlled data. (S2076)

To me, this is a false positive. url is a string that comes from my program, and not from the user.

I’ve tried to introduce some validation, (i.e. such as if url.Contains(“”) but it didn’t make a difference.

Hendrik_Buchwald · September 8, 2022, 2:47pm

Hello,

If url is not user-controlled, you are right that there is no vulnerability. The question now is: why does the analyzer think it is user input? Can you share more information about the code, for example how the function is called and what exactly SonarQube reports.

sergioet · September 8, 2022, 3:22pm

Thanks for the prompt answer.
This is what SQ provides as message:

Code is called like this

        public void BrowseToUrl(Link link)
        {
            if (!string.IsNullOrEmpty(link.Url))
            {
                WebPageLauncher.Launch(link.Url);
            }
        }

And this BrowseToUrl is used in

        [OperationContract]
        [WebInvoke(UriTemplate = "/BrowseToUrl", Method = "POST")]
        void BrowseToUrl(Link link);

This is the communication between the web side and the code side of the app, but it happens within the same machine that runs the software, so perhaps SonarQube is lead to believe that is user driven.

Is there anyway to code to make the scan pass, I’ve tried some validation of the url string but it has not been successful.

Hendrik_Buchwald · September 8, 2022, 3:30pm

I see, thanks for sharing! If you are certain that an attacker will never be able to reach it, you could simply mark the issue as a false-positive. If you want to harden the code, you could for example use a regular expression to limit the character set. For example, with this method.

system · September 16, 2022, 3:09pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.