Let’s consider code snippet below:
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
String genderId) { // genderID is tainted as its controlled by User input
String result=null;
if ("Male".equals(genderId)) {
SomeObject param = new SomeObject();
param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
Lets assume you make some call to DB
result = dbCall(genderId); // This is tainted too
}
return "Hello"+result;
}
So sonar is asking me to sanitize my genderId parameter which is a String type.
However, I don’t see a point as I am having a If Conditional Block which will not allow any dirty values to go into the system and pollute the code.
Your suggestions, please.
Hello,
Thanks for your feedback. We identified this problem already under the internal reference SONARSEC-1172 “ResponseEntity should not be considered as a sink for S5131 (XSS)*” and the good news is that it’s going to be fixed with the upcoming SonarQube 8.4 (next week).
Meanwhile, you will have to flag this issue as a false-positive.
Regards
Alex
Thanks @Alexandre_Gigleux for identifying the issue.
I have one more scenario. Let me twist the above code a bit. Sonar is still not happy about my genderId parameter
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
String genderId) { // genderID is tainted as its controlled by User input
if ("Male".equals(genderId)) {
Lets assume you make some call to DataBase
dbCall(genderId); // This is tainted too
return "hello Alex";
}
return "Hello Vivek";
}
However genderId is safe here as you are checking genderId before touching your code. But it forces you to sanitize it.
Looking forward to your input.
Hello,
In the code you provided you are returning hard-coded strings, so I don’t expect SonarQube to complain and raise an issue.
Can you share a screenshot of SonarQube showing where the issue related to the rule S5131 is raised on the piece of code you provided?
Thanks