Hello,
I am trying to write another PHP custom configuration, for external library, Sunrise Solutions .
I want to treat $request->name as user data and detect SQL injection.
My dummy code looks like this:
<?php
declare(strict_types=1);
namespace App\Controller;
use App\Model\User;
use App\Request\TestRequest;
use Psr\Http\Message\ResponseInterface;
use Sunrise\Http\Message\Response\JsonResponse;
use Sunrise\Http\Router\Annotation\Consumes;
use Sunrise\Http\Router\Annotation\Pattern;
use Sunrise\Http\Router\Annotation\PostApiRoute;
use Sunrise\Http\Router\Annotation\Produces;
use Sunrise\Http\Router\Annotation\RequestBody;
use Sunrise\Http\Router\Annotation\RequestVariable;
use Sunrise\Http\Router\Dictionary\MediaType;
#[Pattern('parameter', '.*')]
final class TestController
{
#[PostApiRoute('direct', '/skeleton/v1/direct/{parameter}')]
#[Consumes(MediaType::JSON)]
#[Produces(MediaType::JSON)]
public function direct(
#[RequestVariable]
string $parameter,
#[RequestBody]
TestRequest $request,
): ResponseInterface
{
$data = User::fetchFromNameWithDirect($request->name);
return new JsonResponse(200, [
'message' => $data[1]['password'],
]);
}
}
I configured PHP Custom Configuration as follows, but it doesn’t work as expected.
{
"S3649": {
"sources": [
{
"methodId": "Sunrise\\Http\\Router\\Annotation\\RequestBody::__construct"
}
],
"sinks": [
{
"methodId": "App\\Model\\User::fetchFromNameWithDirect",
"args": [1]
}
]
}
}
Is there any mistake in my configuration method or approach?
I am running Sonar Enterprise, version v2025.3.
Thank you