How to recognize user data in PHP custom configuration when using sunrise/http-router

Rules and Languages
,
1

Hello,

I am trying to write another PHP custom configuration, for external library, Sunrise Solutions .
I want to treat $request->name as user data and detect SQL injection.

My dummy code looks like this:

<?php

declare(strict_types=1);

namespace App\Controller;

use App\Model\User;
use App\Request\TestRequest;
use Psr\Http\Message\ResponseInterface;
use Sunrise\Http\Message\Response\JsonResponse;
use Sunrise\Http\Router\Annotation\Consumes;
use Sunrise\Http\Router\Annotation\Pattern;
use Sunrise\Http\Router\Annotation\PostApiRoute;
use Sunrise\Http\Router\Annotation\Produces;
use Sunrise\Http\Router\Annotation\RequestBody;
use Sunrise\Http\Router\Annotation\RequestVariable;
use Sunrise\Http\Router\Dictionary\MediaType;

#[Pattern('parameter', '.*')]
final class TestController
{
    #[PostApiRoute('direct', '/skeleton/v1/direct/{parameter}')]
    #[Consumes(MediaType::JSON)]
    #[Produces(MediaType::JSON)]
    public function direct(
        #[RequestVariable]
        string $parameter,
        #[RequestBody]
        TestRequest $request,
    ): ResponseInterface
    {
        $data = User::fetchFromNameWithDirect($request->name);

        return new JsonResponse(200, [
            'message' => $data[1]['password'],
        ]);
    }
}

I configured PHP Custom Configuration as follows, but it doesn’t work as expected.

{
  "S3649": {
    "sources": [
      {
        "methodId": "Sunrise\\Http\\Router\\Annotation\\RequestBody::__construct"
      }
    ],
    "sinks": [
      {
        "methodId": "App\\Model\\User::fetchFromNameWithDirect",
        "args": [1]
      }
    ]
  }
}

Is there any mistake in my configuration method or approach?

I am running Sonar Enterprise, version v2025.3.

Thank you

7

Hey @tomoyuki-fujii ,

I am very sorry for taking so long to get back to you.

The custom configuration feature only allows you to add function calls that should be supported as sources.

Here you are trying to model a property access of an object as a source. Unfortunately, this is currently not supported. You tried (cleverly) to model the constructor of the the accessed object as a source to achieve the desired effect, but, unfortunately, due to the way the engine internally functions, this won’t work.

In principle, it should not be overly difficult to add support for this use case. Could you perhaps elaborate a bit on your use case and how important it is for you? Let me also loop in our PM @Alexandre_Gigleux to see if this use case has come up before.

Best,

Malte