javasecurity:S5131 : Reported for Java Enums

I have a Rest API developed in Java. I am using Enums as my request parameters lets say Gender is one of the Enum and say possible values of Gender are M,F
I understand that requestParametrs are user controlled.Sonar is complaining that it is tainted and I need to sanitize the input.

I am failing to understand how an Enum can be tainted and why its posing a risk. We can’t pass any random values to an Enum.

Looking forward to your suggestions.

Hello @VivekShukla

welcome to the community!

To help you, can you share a code example related to the situation you are describing?

Eric

@eric.therond

As per my understanding, you can only have “sanitized or pure values” in Enums

But this is how sonar looks at the code:

public ResponseEntity<String> answers(
                      @RequestParam(value = "genderId", required = true) 
                      GenderEnum genderId) { // genderID is tainted as its controlled by User input


 SomeObject param = new SomeObject();
 param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
				
 //Lets assume you make some call to DB
  String result=dbCall(genderId);   //This is tainted too

   return "Hello"+genderId; //Result is also tainted as its also using Non-santized input
				
}

any wrong values to Enum will give you HTTP 400 Bad Request which is perfectly fine.

Hello @VivekShukla

Sorry for the delay and thank you for this relevant feedback.

You are right, enumerated values should be trusted.

We will let you know when we release the fix.

Don’t hesitate to report other anomalies that you may find.

Eric

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.