squid:S4684 (Persistent entities should not be used as arguments of “@RequestMapping” methods) false-positive on @AuthenticationPrincipal annotated arguments

Rules and Languages Report False-positive / False-negative...
,
1

versions used

  • SonarQube Community Edition - Version 8.9.3 (build 48735)
  • sonar-maven-plugin:3.9.0.2155

Hi,

in this scenario the scanner detects an issue on the rule squid:S4684 (Persistent entities should not be used as arguments of “@RequestMapping” methods)

import javax.persistence.Entity;
import org.springframework.security.core.userdetails.UserDetails;

@Entity
public class User implements UserDetails {
  String username;
  // ...
}

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class MyController {
  @RequestMapping("/greet")
  public void greet(@AuthenticationPrincipal User user) {
    // do something with User
  }
}

This does effectivly the same and no issue is raised:

@RestController
public class MyController {
  @RequestMapping("/greet")
  public void greet(Authentication user) {
    var user = (User)authentication.getPrincipal();
  }
}

@AuthenticationPrincipal annotated arguments are resolved by @AuthenticationPrincipalArgumentResolver. For my understanding using an @Entity user should be safe here and the detected issue is a false-positive.

1 Like
7

Hey Felix, I am sorry there was no visible response. We’ve nonetheless been tracking this and recently created a ticket: [SONARJAVA-4680] - Jira

Thank you for the report!

1 Like