Not detected XSS Vulnerability Sonarqube

SonarCubby · January 24, 2024, 1:53pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Sonarqube 9.9
how is SonarQube deployed: zip, Docker, Helm
Docker
what are you trying to achieve
Would like to achieve that XSS Vulnerabilites will be detected in Sonarqube Code Scan
what have you tried so far to achieve this
Currently trying to understand why rule has not detected vulnerability.

Hello together,
i am having an Java Backend where i am using Sonarqube for Code Scans.
Recently i found out that an XSS Vulnerability was not detected by Sonarcube and currently asking myself why this not was not detected by Sonarqube following rule in my quality profile for the scan included.
Rule: Endpoints should not be vulnerable to reflect cross site scripting (XSS) attacks

I was expecting in case if I have an nested object within my RestEndpoint Method like:

POST saveXYZ(MyObject abc) {…}

that in case if MyObject has an String attribute as input that is readed (abc.getInputString()) in my code, that the XSS Rule will give me an XSS-Vulnerability.

Is my understanding wrong or are nested objects not checked by Sonarqube / XSS-Rule.
How can i achieve this, that such Vulnerabilities will be detected in further automatically by Sonarqube.

Colin · January 25, 2024, 3:06pm

Hey there.

Thanks for the report!

Could you share a full yet minimal reproducer where you expect the issue to be raised? A bit more detailed than

(at this point, I’m not even sure what language is involved)

SonarCubby · January 25, 2024, 3:50pm

Hi,

the relevant language would be Java (Spring Boot).
For e.g. i have following WebController (reduced the example to reduce complexity)

@Path("/update/")
public class UpdateController {

@PUT
public UpdateResponseDTO update(OrderRequestDTO order) {
        OrderEntity updatedEntity = updateEntity(mapToOrderEntity(order));
        return mapToUpdateResponseDTO(repository.save(updatedEntity));
}

public OrderEntity updateEntity(OrderEntity entity) {
          OrderEntity oldEntity =  repository.findById(entity.getId()); 
          oldEntity.setInputString(entity.getInputString());
          return oldEntity;
}

public class OrderRequestDTO {
   private String inputString; 
}

public UpdateResponseDTO mapToUpdateResponseDTO(OrderEntity entity) {
    UpdateResponseDTO dto = new UpdateResponseDTO();
    dto.setInputString(entity.getInputString());
    return dto;
}

Question / Open Point:
Assumption inputString is an TextBox within my frontend where user can enter malicious java-script.
I thought this will be detected by Sonarqube as an XSS Vulnerability because nested input parameter was not sanitized. Is this assumption maybe incorrect?

sebastien.andrivet · January 26, 2024, 4:20pm

Hi,

Thank you for the provided code. However, I do not well understand which platform you are using. You mentioned Spring Boot but the code does not look like Spring. It is more close to Jakarta code with @Path and @PUTJAX-RS annotations. Our detection depends on the frameworks used so maybe there is something in the code Sonarqube does not understand.

Can you please provide a more complete code so I can try to reproduce the issue you have? In particular, which library are you using with which versions, how are repository, OrderEntity and UpdateResponseDTO defined?

Regards

Sebastien