Problem with security of HTTP Method

dotnet

(Timur) #1

Hello!
I have some problem with SonarCloud. I have the backend of web-application (ASP.NET Core) with this controller’s method inside:

            // GET: api/entities/{id}/list
            [HttpGet("{id}/list")]
            public IActionResult GetEntityListModel([FromRoute] int id)
            {
                var entity = myUow.entityRepository.GetEntityModel(id);
                if (entity == null)
                {
                    return NotFound();
                }
                return Ok(entity);
            }

During checking this code Sonar throws this notification:

Code Smell: Make sure that exposing this HTTP endpoint is safe here. ([external_roslyn:S4529])

https://rules.sonarsource.com/csharp/type/Security%20Hotspot/RSPEC-4529

I tried to add this snippet in the top of method, but it didn’t help.

 if (id<=0)
{
    return BadRequest();
}

Please help me to solve this problem. Thank you.


(Nicolas Harraudeau) #2

Hi @tymur.musin,

Thank you for your feedback.

We have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.

In the mean time you can unblock your pull requests by ignoring external roslyn error in your project like this:
Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.

Just to give some context: Security Hotspot issues are meant to help security auditors when they review an application. They are created on code which is security-sensitive, i.e. code where vulnerabilities generally occur. This code doesn’t necessarily contain a vulnerability. Security Hotspot issues normally never impact the quality gate, nor should they be visible on Pull Requests.

We apologize for the inconvenience.

Best regards,
Nicolas


(Timur) #4

Thank You so much, good luck!


(Timur) #5

Thank You so much, good luck!


(Nicolas Harraudeau) #6

Hi @tymur.musin,

The fix is now deployed on SonarCloud. You can enable back the external roslyn issues.
Thank you again for your patience.

Best regards,
Nicolas


(Timur) #7

Thank You very much!