@WebService/@WebMethod not recognized as taint source

youngroman · December 2, 2022, 1:16pm

There are various frameworks used for implementing services in java.

One example is Spring RestController:

@RestController
@RequestMapping("api")
public class SQLIService {
	@GetMapping("/{badvalue}")
	public void rest(@PathVariable String badvalue) {
		sqli(badvalue); // detected by javasecurity:S3649
	}

Another example is JaxWS/J2EE @WebService:

@WebService
public class SQLIService {
	@WebMethod
	public void webservice(String badvalue) {
		sqli(badvalue); // not detected by javasecurity:S3649
	}

When using RestController the badvalue parameter is recognized as tainted value, when using WebService/WebMethod it is not.

I only tested rule S3649, but I guess other rules of the Java Security Analyzer are affected as well.

example file:
SQLIService.txt (1.2 KB)

my dependencies:
org.apache.openejb:javaee-api:6.0-6 (or any other j2ee lib)
org.springframework:spring-web:5.3.22 (any recent one should be fine)

our environment:
SonarQube Datacenter Edition 9.6.1
scan was done through the Maven Plugin, no special config, maven project only contains this single file.

Loris_Sierra · December 5, 2022, 12:53pm

Hey Roman,

Thanks a lot for this very detailed feedback, and thanks a lot for keeping on giving feedback, that is very much appreciated

You are absolutely right that our taint-related rules do not detect vulnerabilities on JaxWS/J2EE yet. I am starting an internal discussion and creating a ticket to handle that.

Have a good day!

Loris

system · December 12, 2022, 12:54pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.