Help with warning about logging user controlled data


A vulnerability was reported recently on one of the open source projects I contribute to.

The warning Change this code to not log user-controlled data is presented for the following code:"Fetching {} with ID: {}", recordType, sanitizeLogParameter(id));

The excellent trace feature in these reports tracks back the source of the user controlled data to the retrieval of a header.

return routingContext.request().getHeader(header)

This header is part of the state that make it to the later code, however it does not participate in the logging as far as I can tell.

I’m hoping someone can help me understand why this is being reported and what needs to be done to mitigate it.

Any help is appreciated, thank you.


Hi @marcjohnson-kint,

Thank you for sharing this issue.

I looked into the execution flow and it’s a false-positive.
At the last step we report that field recordType is tainted by use inputs also it’s not.

As of today we have a basic support of fields in the security engine. Basically if one field of an object is tainted, all the object field becomes tainted. This limitation is called “field-insensitivity”.

We are currently working on improving the support of fields in the security engine:

Once this improvement is delivered to SonarCloud (in the next few days) you will see the issue disappearing at the next analysis.

1 Like


Thank you for your quick response and great explanation. That is really useful to know, I will monitor the relevant JIRA issue.

Much appreciated and a wonderful first experience with the Sonar community,


1 Like

Hi @marcjohnson-kint,

The improvement I mentioned last week has been delivered to SonarCloud and the false-positive you reported is now closed.

A few days back we delivered a new feature where you can give us feedback easily when you mark an issue as false-positive or won’t fix.

Of course feedback on the community forum is always welcome!


Thank you @Pierre-Loup_Tristant

I will experiment with the improvement to taint detection.

I wasn’t aware of that feature to give feedback in situ, that is great, I will consider using that in future.

Thanks again,


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.