Taint Vulnerabilities - JavaSecurity:S5145 false positive

We encountered a JavaSecurity:S5145 (“Change this code to not log user-controlled data”) false positive.

A very similar issue was reported in 2019 (and fixed in 2021): False positive tainted input (JavaSecurity:S5145), except there the user input is received/validated as a path variable:

@PutMapping("log/pathvariable/{value}")
  public void logPatternValidated(@PathVariable @Pattern(regexp = "^[A-Za-z0-9]+$") final String value) {
    LOG.info("Value is pattern validated: {}", value);
  }

whereas we receive and validate our input using a DTO as a request body parameter:

  @PutMapping("log/dto")
  public void logDtoPatternValidated(@Parameter(required = true) @Valid @RequestBody RequestDto requestDto) {
    LOG.info("Value is pattern validated: {}", requestDto.getValue());
  }

where the RequestDto class looks as follows:

public class RequestDto
{
    private static final String ALPHANUMERIC = "^[A-Za-z0-9]+$";

    @NotBlank
    @Pattern(regexp = RequestDto.ALPHANUMERIC)
    private String value;

    // constructor, getter and setter omitted
}

Tested on self-hosted SonarQube 9.9, using the SonarScanner for Maven.

Hello,

Thanks for the report! There already exists an internal ticket for this but unfortunately, it was not implemented yet. I will try to make it more visible.

For now, please mark it as a false-positive.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.