I have a REST API that has a Java Integer input.
SonarQube is reporting a security vulnerability on the the integer input for reflecting tainted user controlled data.
public ResponseEntity query( @RequestParam(value = “page”, defaultValue = “1”)
Integer page) { // page is tainted as its controlled by User input
JSONObject result = new JSONObject();
result.put(“page”, page); // Tainted value is propagated
//Get stuff from the database and put into result object
return new ResponseEntity(result, HttpStatus.OK) ; //Tainted value is used to perform a security sensitive operation
}
How do you go about sanitizing a valid integer value?
Thanks for reporting this issue … that is obviously a false-positive as integer input can’t be tainted and can’t be the root cause of an injection attack.
Furthermore ResponseEntity are with SQ <= 8.3 wrongly considered as “sink” for the rule S5131. We fixed that in the upcoming SQ 8.4.
Can you tell me which version of SonarQube you are using because we fixed the Integer stuff with SQ 8.2 (Ref: SONARSEC-768: A parameter decorated with a Spring annotation must be considered as safe if its type is different from String)?
All in all, I recommend to upgrade to SonarQube 8.4 as soon as it is available to remove these noisy issues.