We are using the gradle sonarqube scanner version 4.4.0.3356 and our own on-prem sonarqube server DE 9.9
We are getting vulnerability results “Change this code to not log user-controlled data.”
The code in question is a Spring MVC @Controller method with an autowired parameter @AuthenticationPrincipal User user. The offending line is logger.debug("User: {}", user.getSubject());
Is this a false positive? Or does spring not control\manage\protect the contents of its security context as well as I think? Ideally, I would expect that the user does not have direct control over the contents of @AuthenticationPrincipal
Can you provide a more complete code sample? Describing a piece of code rather than providing a self-contained reproducer makes it really hard to investigate.
Thank you for the code example. The vulnerability triggered on the return line (S5131 " Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks") is not the same as the vulnerability you mentioned earlier (S5145 “Logging should not be vulnerable to injection attacks”).
The method getName() of the interface java.security.Principal is considered dangerous but not for S5145 since it is not possible to inject new lines into the logs using this source. This is why in your example, SonarQube is not triggering on the line:
logger.debug(user.getName());
It does trigger (S5131) on the return line since the result of getName() is directly returned.
In your first message, you mentioned getSubject, not getName. getSubject is not a member of java.security.Principal so I am not sure in which interface it is declared and in which class it is implemented. Depending on what this method is doing, it may be possible to inject new lines into the logs and thus SonarQube triggers but without more information about your code, it is only a guess.
Sebastien, thank you for responding. My previous reference to getSubject() was referencing the spring OidcUser object which is actually what we are accessing rather than what I provided in the sample, I thought Principal would be an easier generalization of the issue.
However, regardless of if its S5145 or S5131, I still have a question about why this is considered unsafe. The passed in Principal object in the example is not user-input, but rather wired by Spring Security from the security context using the AuthenticationPrincipal annotation. It is information from the session rather than something that can be injected directly. (and in our case with OidcUser is only made part of the session context after successful authentication).
I am not saying I am right, I’m just trying to understand. While I can certainly see how this might potentially leak sensitive data to a malicious third party, I do not understand how this is open to injection as implied by S5131.
We consider both the name (getName) and the password (getCredential) as unsafe because they are typically set by the user and thus potentially (indirectly) under the control of an attacker. For example, the following code has an injection vulnerability:
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
DBUser user = jdbcTemplate.queryForObject(
"select * from users where username='" + authentication.getName() + "' and password='" + authentication.getCredentials() + "'",
BeanPropertyRowMapper.newInstance(DBUser.class));
return new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), null);
}
The name or the password can contain single quotes. Adding the AuthenticationPrincipal will not change anything. It does not sanitize the name or the password.
Regarding your original question, I tried the following code:
package sample;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import java.security.Principal;
@Controller
public class HomeController {
private final Log logger = LogFactory.getLog(this.getClass());
@GetMapping("/principal")
@ResponseBody
public String getPrincipal(Principal principal) {
logger.debug(principal.getName());
return "";
}
@GetMapping(value="/authentication-principal")
@ResponseBody
public String getAuthenticationPrincipal(@AuthenticationPrincipal Principal user) {
logger.debug(user.getName());
return "";
}
@GetMapping("/oidc")
@ResponseBody
public String getOidcUserPrincipal(OidcUser user) {
logger.debug(user.getSubject());
return "";
}
@GetMapping("/oidc-authentication")
@ResponseBody
public String getOidcUserAuthenticationPrincipal(@AuthenticationPrincipal OidcUser principal) {
logger.debug(principal.getSubject());
return "";
}
}
So the Spring Security OAuth\OIDC process does not validate\sanitize basic information like a username before it stores it in the session? I guess I would have assumed that was the case. I’m surprised to hear that the username at this point can possibly be manipulated by a user.
Your code example does not appear to be using any Spring Security mechanisms to prove the point, and does not, in my opinion, relate to my original sample. In my case, the Principal object (or in your case the Authentication parameter) is not and can not be (to my knowledge) passed in or submitted by the user. While the AuthenticationPrincipal annotation may not sanitize anything, it is very specifically retrieving that information from a known, authenticated, context rather than user input.
In your example there is no context for who or what is using the public method. and it appears to be a method designed to naively authenticate a user based on user input. But in my example, if the user is not authenticated, then the object wired in by AuthenticationPrincipal will be null, otherwise it will reflect the result of the Spring OAuth\OIDC authentication process (or whichever Spring Security authentication process is enabled) which is handled elsewhere. Neither of those possible outcomes are controllable by user input to the method in question.
Not in a way that will prevent all possible injections.
It was guessing on my part based on what I understood. It would be easier if you could provide some code that shows the issue you have (with getSubject and OidcUser and debug).
I can work on a more in-depth sample project. However, I noticed that all of your responses seem to be focusing on the details\nature of the class used as an input parameter to the method, and you have not yet commented on the semantics of the AuthenticationPrincipal annotation. In my opinion, this annotation is central to the discussion, because it defines additional semantics about how the data that object is populated with is handled and where that data comes from. Additionally, the annotation causes the parameter to not be exposed through the http endpoint to the user. If the semantics of a Spring annotation are outside the scope of a Sonar scan, then I can accept that, but it definitely seems like Sonar is aware of Spring and what it does.
I do not think that the semantics of AuthenticationPrincipal matter in the case of calling getSubject and debug. Even without it, the rule will not trigger on debug because it is not possible to inject new lines.
Yes. What the AuthenticationPrincipal attribute does is get the current principal from the session and bind the argument with its value. The argument is not directly under the control of an attacker. It is indirect (2nd order).
Yes, Sonar is aware of Spring and of its behavior.
What is not clear for me, is which rule triggers on which call with which class or interface. In the code example you gave, nothing is triggering on debug. Sonar triggers on the next line but this is for a completely different reason and for a different rule. All that is needed is a piece of code that triggers the rule you mentioned (“Change this code to not log user-controlled data.”). With this information, it will be possible to determine if it is a true positive or a false positive.