PHP codeigniter index controller false negatives

Hello,
We are using Sonarcloud enterprise. We just noticed that vulnerabilities in our index function controllers are not getting caught by the Sonarcloud’s quality profile. We are using the default quality profile “Sonar way” for everything at the moment.

We have a index controller which does not catch any vulnerabilities except for a security hotspot (hardcoded password).

Example false negative:

	class Start extends CI_Controller
	{
        protected $cache_file;
        protected $user_password;

		public function index()
		{
            $this->user_password = "ex#amp¤el2020";
            $this->cache_file = isset($_GET['user_file']) ? $_GET['user_file'] : '';

            $file = $this->cache_file;
            if (file_exists($file)) unlink($file);

            if ($_POST['redirect_url'])
            {
                redirect($_POST['redirect_url']);
            }

            if ($_GET['redirect_url'])
            {
                redirect($_GET['redirect_url']);

            }

		}

To try this out i created the same controller function with a different name that seems to catch all the vulnerabilities.

Example true positive:

        public function notindex()
        {
            $this->user_password = "ex#amp¤el2020";
            $this->cache_file = isset($_GET['user_file']) ? $_GET['user_file'] : '';

            $file = $this->cache_file;
            if (file_exists($file)) unlink($file);

            if ($_POST['redirect_url'])
            {
                redirect($_POST['redirect_url']);
            }

            if ($_GET['redirect_url'])
            {
                redirect($_GET['redirect_url']);

            }
        }

Would appreciate getting some help to resolve this since we have a lot of controller functions named index. Let me know if you need any more information.

Hey @sonarfrasse,

Welcome to the community!

This looks indeed strange. I did a quick test with the first piece of code you did post, and the vulnerabilities are raised correctly. See: https://sonarcloud.io/code?id=karim-ouerghemmi-sonarsource_test-sc-controller&selected=karim-ouerghemmi-sonarsource_test-sc-controller%3Atest.php

There might be something else in your project leading to those vulnerabilities no being found. Can you try to create a minimal reproducer in which, when scanned on its own, the issues should be found, but are not? Or is the project open source?

Best,
Karim.

Addition to previous post: another reason could be that all your index methods in which the issues are not raised have the same fully qualified name (same class name + same (or no) namespace). We currently discard methods in the taint analysis that do not have a unique fully qualified name (as it is also probably no valid code in that case).