PHP XSS unsanitized input not caught

ysebyy · February 2, 2022, 2:16pm

Hello, we use a self-hosted SonarQube instance, and we are scanning one of our projects for issues. We currently use: SonarQube 9.2.4.

We are wondering, if this is intentional, but we have this code snippet:

        $input1 = '';
        $input2 = '';
        $showBtn  = true;

        if( isset($_GET['input1']) && !empty($_GET['input1']) ) {
            $input1 = $_GET['input1'];
            $showBtn  = false;
        }

        if( isset($_GET['input2']) && !empty($_GET['input2']) ) {
            $input2 = $_GET['input2'];
            $showBtn  = false;
        }
        <input type="hidden" name="input1" value="<?php echo $input1; ?>">
        <input type="hidden" name="input2" value="<?php echo $input2; ?>">

Where we have no input sanitization and were able to find an XSS. Curious, as why SonarQube have not caught anything? Is this behaviour considered “safe”?

Code is for a PHP web application.

Thank you for your time.

Hendrik_Buchwald · February 2, 2022, 3:11pm

Hello Vadim and welcome to the community!

Can you tell me what edition of SonarQube you are using, e.g., Community Edition, Developer Edition, …? It is important to know that our security engine that detects this type of injection vulnerabilities is not included in the Community Edition. It is included in the Developer Edition and above (see here).

The vulnerabilities are detected correctly for me when I scan the code (after adding opening and closing tags around the PHP code at the beginning).

ysebyy · February 2, 2022, 5:08pm

Hey, Hendrik.

We are using the “Developer” edition!

I excluded the php tags as there is more code in this section, but it seems that nothing is picked up in this file besides an html tag.

Hendrik_Buchwald · February 2, 2022, 5:18pm

Okay, thanks for the information. Do you see any errors in the scanner output when running the analyzer? Also, could you share maybe the whole file with me? We can do that in a private message if that is better for you. The problem might be caused by something else in the file, since just scanning this code snippet works fine for me.

ysebyy · February 2, 2022, 5:53pm

Sure, can you shoot me a DM, since I can’t seem to see the button to direct message you!

ysebyy · February 3, 2022, 1:17pm

It seems that our Sonar server was using the wrong edition. Thanks Hendrik for helping with finding it out.

system · February 10, 2022, 1:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.