What language is this for?
kotlin
Which rule?
kotlinsecurity:S5145
Why do you believe it’s a false-positive/false-negative?
When REST call request param is an enum, the basic validation is performed by Spring at request parsing stage and no actual malicious content can make it into the application. If the input value is not matching any pre-defined enum values, request is simply rejected (4xx error). If the request was successfully parsed, it is safe to log such enum param, as its possible values are defined by the application and are not user (caller) controlled.
import org.slf4j.LoggerFactory
import org.springframework.web.bind.annotation.PutMapping
import org.springframework.web.bind.annotation.RequestParam
import org.springframework.web.bind.annotation.RestController
@RestController
class MyController {
enum class MyEnum {
VALUE_A,
VALUE_B
}
@PutMapping("/test")
fun test(
@RequestParam enumParam: MyEnum
) {
logger.info("Received param: $enumParam")
}
companion object {
private val logger = LoggerFactory.getLogger(MyController::class.java)
}
}
Versions
- SonarQube for IDE (10.26.0.81619)
- IntelliJ IDEA 2025.1.3
- Kotlin 2.2.0