Sonar SAST Engine custom config

SonarQube Server / Community Build Writing rules
, , ,
1

Hello,

I am trying to write another custom configuration, for the Java Security Engine, for the jakarta.ws.rs.core.Response.seeOther method. I want to mark the method as a sink for the S5146 rule. I cannot figure out how I can do it from the documentation.

My dummy code looks like this:

    @GET
    @Path("/redirect")
    @Produces(MediaType.TEXT_PLAIN)
    public Response redirectTest(@RestQuery("path") String path) throws Exception {
        URI uri = UriBuilder.fromPath(path).build();
        return Response.seeOther(uri).build();
    }

The configuration that I tried is the following:

{
    "common": {
        "sources": [
            {
                "methodId": "org.jboss.resteasy.reactive.RestQuery"
            }
        ]
    },
    "S5146": {
        "sinks": [
            {
                "methodId": "jakarta.ws.rs.core.Response#seeOther(Ljava/net/URI;)Ljakarta/ws/rs/core/Response$ResponseBuilder;",
                "args": [
                    1
                ]
            }
        ]
    }
}

If I try to do the same for the jakarta.ws.rs.core.UriBuilder.fromPath method it works with this configuration:

{
  "common": {
      "sources": [
          {
              "methodId": "org.jboss.resteasy.reactive.RestQuery"
          }
      ]
  },
  "S5146": {
      "sinks": [
          {
              "methodId": "jakarta.ws.rs.core.UriBuilder#fromPath(Ljava/lang/String;)Ljakarta/ws/rs/core/UriBuilder;",
              "args": [
                  1
              ]
          }
      ]
  }
}

image
image1688×449 35.1 KB

Is the signature for the method not correctly constructed, or the configuration altogether missing something?
Are there some limitations to the SAST Engine custom configuration that I am missing?

I am running Sonar Enterprise, version 10.8.

Thank you

1 Like
3

Hello @Victor_Ciresica

Thanks for reaching out with a clear description of the problem and your initial investigation.

First, assuming you are using a relatively recent version of SonarQube Server, the sink jakarta.ws.rs.core.Response.seeOther should already be supported for S5146.

The source for org.jboss.resteasy.reactive.RestQuery is not though. What you added in the custom configuration seems correct.

What is missing is what is between the source and the sink: passthroughs. In the given example, the tainted elements pass though UriBuilder.fromPath and UriBuilder.build. You need to add them to your configuration:

  "common": {
    "passthroughs": [
      {
        "methodId": "jakarta.ws.rs.core.UriBuilder#fromPath(Ljava/lang/String;)Ljakarta/ws/rs/core/UriBuilder;",
        "args": [
          1
        ]
      },
      {
        "methodId": "jakarta.ws.rs.core.UriBuilder#build([Ljava/lang/Object;)Ljava/net/URI;",
        "args": [
          0
        ]
      }
    ]
  }

You might want to add other methods of the UriBuilder aswell.

Furthermore, I will discuss internally if we want to add them to the default configuration, thanks for the lead.

Hope this helps.

Cheers,
Quentin

2 Likes
7

Hello,

The configuration works, thank you for the solution! You are also right with the fact that jakarta.ws.rs.core.Response.seeOther is identified as a sink by default by sonar, only the passthroughs are needed.

image
image1674×430 38.3 KB

Thank you,
Victor

3 Likes
11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.