S5146 false positive on Symfony RedirectResponse to self

Hey :slight_smile:,
Using SonarQube v9.5.0.56709, I’m getting the phpsecurity:S5146 security-vulnerability warning on the following Symfony code:

public function __invoke(Request $request) {
    ...
    $response = new RedirectResponse($request->getUri(), 303);
    ...

    return $response;
}

But we are redirecting the user to the same URL as the request came in, not based on a GET/POST variable.

Is there a security issue here I’m overlooking, and if so how should I fix it? Or is this a false positive?

Thanks in advance,

Hi Bram,

Sorry for the late reply! It is indeed a false-positive. I have created an internal ticket for it, thanks for the report!

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.