SONARJAVA-6375 S3752: Allow explicit unsafe HTTP methods and change from hotspot to vulnerability#5617
Conversation
Agentic Analysis: Early ResultsAgentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action. 10 issue(s) found across 1 file(s):
Analyzed by SonarQube Agentic Analysis in 10.7 s |
hashicorp-vault-sonar-prod
Bot
changed the title
SummaryThis PR converts rule S3752 from a security hotspot to a vulnerability and fundamentally changes what the rule detects. What changed:
Why it changed: Impact:
What reviewers should knowStart by reviewing:
Key points for reviewers:
|
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
dorian-burihabwa-sonarsource
left a comment
dorian-burihabwa-sonarsource
left a comment
There was a problem hiding this comment.
(commenting to avoid blocking the work)The change looks good to me, however I think we should probably update the rule description as the scope of findings has changed now (regardless of whether the rule should be a hotspot or a vulnerability). I would like to avoid merging the code now and releasing with an inconsistent implementation and description.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The RSPEC update has been merged: https://github.com/SonarSource/rspec/pull/6822 |
daniel-teuchert-sonarsource
temporarily deployed
to
dev
GitHub Actions
Inactive
|
The RSPEC changes are now also added to this PR. |
There was a problem hiding this comment.
The documentation update is well-structured and the metadata changes are appropriate. One documentation gap worth discussing: the HTML docs don't mention the ErrorController exemption or the class-level inheritance behaviour (inheritRequestMethod), which could confuse users who hit those edge cases.
| <h4>Noncompliant code example</h4> | ||
| <pre data-diff-id="1" data-diff-type="noncompliant"> | ||
| @RequestMapping("/delete_user") // Noncompliant: by default all HTTP methods are allowed | ||
| public String delete1(String username) { | ||
| // state of the application will be changed here | ||
| } | ||
|
|
||
| @RequestMapping(path = "/delete_user", method = {RequestMethod.GET, RequestMethod.POST}) // Sensitive: both safe and unsafe methods are allowed | ||
| String delete2(@RequestParam("id") String id) { | ||
| // state of the application will be changed here | ||
| } | ||
| </pre> | ||
| <h2>Compliant Solution</h2> | ||
| <pre> | ||
| @RequestMapping("/delete_user", method = RequestMethod.POST) // Compliant | ||
| <h4>Compliant solution</h4> | ||
| <pre data-diff-id="1" data-diff-type="compliant"> | ||
| @RequestMapping("/delete_user", method = RequestMethod.POST) | ||
| public String delete1(String username) { | ||
| // state of the application will be changed here | ||
| } |
There was a problem hiding this comment.
The documentation examples only cover the simplest case (no method attribute at all). Two real-world scenarios that users will encounter are not mentioned:
- Class-level inheritance — if a
@RequestMappingon the class specifiesmethod, a method-level@RequestMappingwithoutmethodis compliant because it inherits from the class. A user who sees the rule fire on their method-level annotation may be confused if they don't know this, or they may not realise they don't need to repeat the method on every handler. ErrorControllerexemption — the rule silently skips any class implementingErrorController. Users who happen to land on this documentation while investigating why theirErrorControlleris (or isn't) flagged will find no explanation.
Consider adding a short note after the compliant example, e.g.:
<p>Routes that inherit an explicit HTTP method from a class-level <code>@RequestMapping</code> are also compliant.
Endpoints in classes that implement <code>ErrorController</code> are excluded from this rule.</p>There was a problem hiding this comment.
I think those examples are a bit too specific for the RSPEC, also this would need to be another RSPEC PR so I will keep it as it is for this PR.
| "code": { | ||
| "impacts": { | ||
| "SECURITY": "LOW" |
There was a problem hiding this comment.
The severity is Minor for a rule now typed as VULNERABILITY. CSRF is typically classified as at least Medium in most security frameworks (OWASP rates it as a meaningful risk). Is Minor intentional here, or should it be raised to Medium/Major to match the threat level described in the updated HTML documentation?
There was a problem hiding this comment.
It is intentional. This used to be a security hotspot so we should not have a too high impact.
|
dorian-burihabwa-sonarsource
left a comment
dorian-burihabwa-sonarsource
left a comment
There was a problem hiding this comment.
LGTM 👍🏿 Thanks for including the changes to the rule description
For merging, you could go 1 of 2 ways:
- Rework the changes into 2 commits:
a.SONARJAVA-6375 S3752: Allow explicit unsafe HTTP methods
b.SONARJAVA-6375 S3752: Change from hotspot to vulnerability - Changing the title of the PR for something a little more explicit like
SONARJAVA-6375 S3752: Allow explicit unsafe HTTP methods and change from hotspot to vulnerability
daniel-teuchert-sonarsource
changed the title
daniel-teuchert-sonarsource
deleted the
appsec/adjust-s3752-for-conversion
branch
2 participants
We are converting this rule to a vulnerability. To make sure that this rule brings the most value, we decided to stop raising when HTTP verbs are explicitly allowed and only raise when implicitly all verbs are allowed for an endpoint.