Problem with security of HTTP Method

Hello!
I have some problem with SonarCloud. I have the backend of web-application (ASP.NET Core) with this controller’s method inside:

            // GET: api/entities/{id}/list
            [HttpGet("{id}/list")]
            public IActionResult GetEntityListModel([FromRoute] int id)
            {
                var entity = myUow.entityRepository.GetEntityModel(id);
                if (entity == null)
                {
                    return NotFound();
                }
                return Ok(entity);
            }

During checking this code Sonar throws this notification:

Code Smell: Make sure that exposing this HTTP endpoint is safe here. ([external_roslyn:S4529])

https://rules.sonarsource.com/csharp/type/Security%20Hotspot/RSPEC-4529

I tried to add this snippet in the top of method, but it didn’t help.

 if (id<=0)
{
    return BadRequest();
}

Please help me to solve this problem. Thank you.

Hi @tymur.musin,

Thank you for your feedback.

We have a bug in our current C# and VB .Net analysis. We are working on it and I will come back to you as soon as it is fixed.

In the mean time you can unblock your pull requests by ignoring external roslyn error in your project like this:
Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option. The security hotspot issues will disappear the next time your pull requests are analyzed.

Just to give some context: Security Hotspot issues are meant to help security auditors when they review an application. They are created on code which is security-sensitive, i.e. code where vulnerabilities generally occur. This code doesn’t necessarily contain a vulnerability. Security Hotspot issues normally never impact the quality gate, nor should they be visible on Pull Requests.

We apologize for the inconvenience.

Best regards,
Nicolas

Thank You so much, good luck!

Thank You so much, good luck!

Hi @tymur.musin,

The fix is now deployed on SonarCloud. You can enable back the external roslyn issues.
Thank you again for your patience.

Best regards,
Nicolas

1 Like

Thank You very much!

How we can solve this issue in c# code?Please share code.
issue : Make sure that exposing this HTTP endpoint is safe here.
observe below code .

#region Views
public ActionResult Index()
{
if (SessionModel.CurrentAux.AuxCodeId == 0)
{ SetAdvisorAux(Constants.LoggedIn, false); } // Added curly braces for sonarcube_vk_14
else
{
if (SessionModel.CurrentAux.Code == “IDLE”)
{ SetAdvisorAux(Constants.IDLE, false); }
}
return View();
}
#endregion Views

Hi Payal,

Regarding how Security Hotspot are used. I invite you to read the documentation: https://docs.sonarqube.org/latest/user-guide/security-hotspots/
Security Hotspots are meant to help review only. They are never “fixed”.

As a side-note, this specific rule has been removed from the last version of SonarC# as it was too generic for developers.

Cheers,
Nicolas

Thanks Nicolas.