I have a Rest API developed in Java. I am using Enums as my request parameters lets say Gender is one of the Enum and say possible values of Gender are M,F
I understand that requestParametrs are user controlled.Sonar is complaining that it is tainted and I need to sanitize the input.
I am failing to understand how an Enum can be tainted and why its posing a risk. We can’t pass any random values to an Enum.
Looking forward to your suggestions.
Hello @VivekShukla
welcome to the community!
To help you, can you share a code example related to the situation you are describing?
Eric
@eric.therond
As per my understanding, you can only have “sanitized or pure values” in Enums
But this is how sonar looks at the code:
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
GenderEnum genderId) { // genderID is tainted as its controlled by User input
SomeObject param = new SomeObject();
param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
//Lets assume you make some call to DB
String result=dbCall(genderId); //This is tainted too
return "Hello"+genderId; //Result is also tainted as its also using Non-santized input
}
any wrong values to Enum will give you HTTP 400 Bad Request which is perfectly fine.
Hello @VivekShukla
Sorry for the delay and thank you for this relevant feedback.
You are right, enumerated values should be trusted.
We will let you know when we release the fix.
Don’t hesitate to report other anomalies that you may find.
Eric