I’m trying to trigger the “Deserialization should not be vulnerable to injection attacks” vulnerability rule, which is enabled by default in the sonar way profile, which is what I’m using on the project that’s being scanned. The reason for this is that I’m working on a fresh SonarQube setup and I want to make sure all the scans work properly.
I pretty much just copied the code that’s in that rule, and made sure that there aren’t any code smells that it could otherwise trigger on. Verbatim the code added is:
public static Object AnotherDeser(string typeName, Stream bytes)
{
Type t = Type.GetType(typeName); // typeName is user-controlled
XmlSerializer serializer = new XmlSerializer(t); // Noncompliant
return serializer.Deserialize(bytes);
}
However I do not see this vulnerability popping up in the scan report sonarqube creates. Do I still need to configure something to have the vulnerability and security hotspot checks work properly?
Hello @bcd ,
There can be some instances where we may need to even lock access to certain objects for Sys Admins which can be controlled through triggers and apex cannot be modified in Prod, the trigger on the profile object can help with that.
Thanks for sharing this false-negative, I will look into to it.
Could you please share the whole code example, including the class implementation and the imports?
