S3752 False positive when more than one method is defined

@RequestMapping(value = EndpointUrl.REGISTER_URL, method = { RequestMethod.PUT, RequestMethod.POST })

This causes a blocker issue. If I remove either PUT or POST the issue is gone. However the description states that this is only an issue if method is missing.

Hi,

Reading from the rule description, this is expected : https://rules.sonarsource.com/java/RSPEC-3752

This rule raises an issue when method is missing and when the method parameter is configured with more than one verb

I updated the code example to make this more explicit.

The rule should be refined to disallow GET to be mixed with other verbs rather then disallowing multiple verbs. I don’t see that having PUT and POST handled by a single controller creates a security vulnerability and doing so makes sense in some cases.

Hello @XcrigX

welcome to the community !

It could be a great improvement, more generally this rule should raise only if a developer mixes safe and unsafe HTTP methods:

Unsafe methods are used to change the state of an application, thus they are sensitive operations, but this guideline is not often followed for example another user reported to us that OpenID connect uses both GET and POST methods to simply retrieve some information. Thus, we will also change the issue type of this rule to security-hotspot with all the explanations for developers to help them during the review.

Eric

1 Like