Java Spring Cross Site Scripting detection

SonarQube Server / Community Build
, ,
1

Hello,
I would like to ask about the detection of a cross site scripting regarding sanitization.

I am using the SonarQube enterprise version 10.7 and the sonar scanner maven-plugins:3.9.0.2155.

I have the following code:

@GetMapping(value = "/endpoint", produces = "text/html; charset=UTF-8")
    public String endpoint(@PathVariable("input") String input) {
        return object.method(input);
    }

Since the content of produces is text/html and not text/plain, should have Sonar detect this as a vulnerability? (The rule javasecurity:S5131 is activated in the quality profile)

Is it possible that this is not detected by Sonar because it detects a sanitization along the path from source to sink? I navigated through path code and I did not found any specific sanitization. I believe @PathVariable or MapOf are not enough for sanitizing


At the end, I arrived to an object named TemplateWrapper that is a dependency of the project (but I do not have the code at the moment).
Could that be the reason for not showing an issue and be enough for sanitizing the input?

Best regards.

4

Hello MarĂ­a!

Thanks a lot for your feedback! Sorry for the time spent waiting. I am in charge of handling your post, but I was sick this week. I am going to work to narrow down what the problem could possibly be and get back to you ASAP.

In the meantime, I would be interested in understanding the method because it could contain things that the analyzer deems important. We can schedule a call if it’s better

Cheers!

Loris

5

Dear Loris,
No worries.
Yes, maybe it is better to have a call and get deeper into details. This is very important for us, because it could be a false negative that we have been able to detect with the tool Kiuwan :frowning:

I’ll wait for your response. Best regards.

6

I sent you a message via this forum’s messaging feature, feel free to directly email me at the address I sent you there :+1:

I will update this forum for future reference afterward.

Cheers
Loris

2 Likes
7

After meeting with MarĂ­a, here are the details about this issue:

In Codebase ‘A’:

  1. @PathVariable("input") String input goes into method1
  2. It then goes into method2, where it is send in method3
  3. method3 returns the result of method 4, which is actually located in another codebase “B”

In Codebase “B”, method 4:

  1. The input is used to create a URI
  2. The URI is then called with a Spring Rest Template
  3. and the function returns the body of the HTTP response

Back to codebase ‘A’:

  • The body of the rest template is used and transformed in method2
  • And is then returned as text/html by method1, so it will be interpreted by browsers.

Here, from a Static Analysis false positive, this is a false positive. The input is never explicitly injected into the response, and the analyzers have no way of knowing what is coming in the HTTP response body.

Some competitors throw false positives because their analyzers’ default behavior includes making assumptions about what an analyzed piece of code will do. Here, I guess it assumed that “CodeBase B” would actually return the input string.

As I mentioned during our call, my team knows that throwing too many false positives is counterproductive: Not only do we lose credibility, but we also risk that the users stop engaging with the issues we show and just ignore our results, thus deteriorating their security.

This kind of false positive is exactly why we dedicate specific R&D time to improving and maintaining our Spring Support coverage.

Cheers,

Loris

1 Like
9

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.