Help SonarCloud with understanding the usage of untrusted and tainted input

(Freddy Groen) #1

Hey all,

I’m a bit in the dark on how I can help SonarCloud understanding that we are actually validating/whitelisting user input so we can rid of some blocker issues and get a nice pretty rating on our project.

As an example, we have a C# application with some MVC controllers that delete resources from a folder managed by the application. We do a lot of validation on the input and make quite some effort on generating a path that is a valid and safe path.
Here we get a ‘Refactor this code to not construct the path from tainted, user-controlled data.’

Another example are some actions that have a redirectUrl as parameter. For example in a Login action.
SonarCloud gives me a nice ‘Refactor this code to not perform redirects based on tainted, user-controlled data.’ issue, but all code is doing checks to make sure the input we receive is safe.

How can I let SonarCloud know about this? Do any of you guys have some suggestions maybe?
Marking these issues as a false positive feels not right.

Best regards,