Help with warning about logging user controlled data

marcjohnson-kint · August 27, 2020, 2:19pm

Hi,

A vulnerability was reported recently on one of the open source projects I contribute to.

The warning Change this code to not log user-controlled data is presented for the following code:

log.info("Fetching {} with ID: {}", recordType, sanitizeLogParameter(id));

The excellent trace feature in these reports tracks back the source of the user controlled data to the retrieval of a header.

return routingContext.request().getHeader(header)

This header is part of the state that make it to the later code, however it does not participate in the logging as far as I can tell.

I’m hoping someone can help me understand why this is being reported and what needs to be done to mitigate it.

Any help is appreciated, thank you.

Marc

Pierre-Loup_Tristant · August 28, 2020, 8:48am

Hi @marcjohnson-kint,

Thank you for sharing this issue.

I looked into the execution flow and it’s a false-positive.
At the last step we report that field recordType is tainted by use inputs also it’s not.

As of today we have a basic support of fields in the security engine. Basically if one field of an object is tainted, all the object field becomes tainted. This limitation is called “field-insensitivity”.

We are currently working on improving the support of fields in the security engine:
https://jira.sonarsource.com/browse/MMF-1697

Once this improvement is delivered to SonarCloud (in the next few days) you will see the issue disappearing at the next analysis.

marcjohnson-kint · August 28, 2020, 9:20am

@Pierre-Loup_Tristant

Thank you for your quick response and great explanation. That is really useful to know, I will monitor the relevant JIRA issue.

Much appreciated and a wonderful first experience with the Sonar community,

Marc

Pierre-Loup_Tristant · September 3, 2020, 8:19am

Hi @marcjohnson-kint,

The improvement I mentioned last week has been delivered to SonarCloud and the false-positive you reported is now closed.

A few days back we delivered a new feature where you can give us feedback easily when you mark an issue as false-positive or won’t fix.

Of course feedback on the community forum is always welcome!

Pierre-Loup

marcjohnson-kint · September 7, 2020, 2:35pm

Thank you @Pierre-Loup_Tristant

I will experiment with the improvement to taint detection.

I wasn’t aware of that feature to give feedback in situ, that is great, I will consider using that in future.

Thanks again,

Marc

system · September 14, 2020, 2:35pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help SonarCloud with understanding the usage of untrusted and tainted input SonarQube Cloud security , false-positive , sonarqube-cloud	7	11065	October 25, 2021
Refactor this code to not place tainted, user-controlled data in the header Report False-positive / False-negative... sonarqube	2	4995	June 2, 2021
Error in tainted data analyze Report False-positive / False-negative... java	3	1180	December 20, 2022
Taint Vulnerabilities - JavaSecurity:S5145 false positive SonarQube Server / Community Build java , sonarqube , security , spring , taint-analysis	2	1493	April 4, 2023
False Positive Secure Logging S5145 Report False-positive / False-negative...	5	577	November 3, 2022

Help with warning about logging user controlled data

Related topics