How to suppress "Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks" after input Sanitization

Simone_Avogadro · December 1, 2021, 4:52pm

We’re working with:

Developer Edition - Version 9.1 (build 47736)
We want to fix warning about “Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks” on paramters which are already sanitized
We’re using a library mandated by Cybersecurity in order to Sanitize the input and SonarQube does not seem to recognize it and marks all the user input as tainted

here’s the method:

	public static String sanifyUserInput(String i) throws ServletException {
		if (containsIllegalSequences(i))
			throw new ServletException("Input contains illegal sequences, refusing");
		return i;
	}

All user input is passed thru that method so we need some way to mark the output of the method as “sanitized” in order to avail being flooded with false-positive “javasecurity:S5131” errors

Is there any annotation to do so? Is this a false-positive?

We’re experiencing the very same issues with log-tainting warnings.

ganncamp · December 8, 2021, 1:56pm

Hi,

Welcome to the community!

It might help to know that with Enterprise Edition($$) you gain the ability to configure taint analysis to E.G. recognize custom sanitizers.

HTH,
Ann

Simone_Avogadro · December 11, 2021, 12:30pm

Thanks Ann,
So basically there’s no way to annotate this methods as sanitizers so that this information will be passed over to other parties willing to perform the scan on their own?

Alexandre_Gigleux · December 13, 2021, 7:52am

As mentioned by @ganncamp, there is a way provided by the SonarQube Enterprise Edition and called Security Engine Custom Configuration where you can define which methods should be considered as Sanitizers.

Out of curiosity, is the library mandated by your cybersecurity department a product we can find somewhere or is it an in-house development?