No problem about the delay, that is somewhat expected during the summer 
I have some examples, not the best. But gives an idea of the items SonarCloud found in our code:
[HttpGet]
public ActionResult ShowDocument(string plugin, string contentId)
{
// plugin is the source, the rest propagates the value..
var data = GetPreviewMetadata(plugin, contentId);
..
// logic that creates a nice model in case data is null
..
return View(model);
}
private PreviewMetadata GetPreviewMetadata(string plugin, string contentId)
{
// check if plugin is known to us and contentId is valid
var metadata = PreviewHelper.CheckPlugin(plugin, contentId);
if (metadata == null)
{
return null;
}
// this is the culprit, the preview helper is doing some caching on the filesystem
// it creates a directory where plugin used in the name.
// if the plugin value was invalid, we could not get to this line
var previewHelper = new PreviewHelper(plugin, contentId, metadata);
return previewHelper.GetPreviewMetadata(plugin, contentId);
}
We have a few similar situations, where we validate user input, sanitize and create a temporary folder/file on the filesystem. In a few cases we show the user an error message.
I’m curious how we can help SonarCloud understanding we handled the user input?
The rule in SonarCloud says the following is complaint:
// Restrict the username to letters and digits only
if (!Regex.IsMatch(user, "^[a-zA-Z0-9]+$"))
{
return BadRequest();
}
Is this the only pattern it detects? We have a somewhat similar piece of code, but it throws an exception.
public static string Combine(string path1, string path2)
{
if (Path.IsPathRooted(path2))
{
throw new ArgumentException("Invalid", nameof(path2));
}
return Path.Combine(path1, path2);
}
And what about logic that cannot return a BadRequest() but just serves a nice explanation to the user?
Best regards,
Freddy