We encountered a JavaSecurity:S5145
(“Change this code to not log user-controlled data”) false positive.
A very similar issue was reported in 2019 (and fixed in 2021): False positive tainted input (JavaSecurity:S5145), except there the user input is received/validated as a path variable:
@PutMapping("log/pathvariable/{value}")
public void logPatternValidated(@PathVariable @Pattern(regexp = "^[A-Za-z0-9]+$") final String value) {
LOG.info("Value is pattern validated: {}", value);
}
whereas we receive and validate our input using a DTO as a request body parameter:
@PutMapping("log/dto")
public void logDtoPatternValidated(@Parameter(required = true) @Valid @RequestBody RequestDto requestDto) {
LOG.info("Value is pattern validated: {}", requestDto.getValue());
}
where the RequestDto
class looks as follows:
public class RequestDto
{
private static final String ALPHANUMERIC = "^[A-Za-z0-9]+$";
@NotBlank
@Pattern(regexp = RequestDto.ALPHANUMERIC)
private String value;
// constructor, getter and setter omitted
}
Tested on self-hosted SonarQube 9.9, using the SonarScanner for Maven.