Spring RestController - java.util.Optional not recognized

Clean Code Report False-positive / False-negative...
, , ,
1

version: 9.9 Datacenter Edition (deployed as zip)

When using java.util.Optional with Spring RestController, it is not recognized as tainted source.

sample code:

@RestController
@RequestMapping("api/test")
public class TestController {
	@GetMapping(value={"/{value1}/{value2}"})
	public String test(@PathVariable String value1, @PathVariable Optional<String> value2) {
		File file1 = new File(value1.get());
		file1.delete(); // detected by javasecurity:S2083

		File file2 = new File(value2);
		file2.delete(); // not detected by javasecurity:S2083

		return "done";
	}
}
4

Hello Roman,

Thanks a lot for the report and nice reproducer! I have created an internal ticket to tackle this problem. I also think it makes sense to add Optional as a passthrough, as you wrote in the other post. But to raise an issue here, we will have to do some additional changes in the analyzer.