LGTM.com - false positive User input sanitized in code called via annotations

[suneet-s]

Description of the false positive

The paths that lead to an alert for using un-sanitized user input, sanitize the input in a resource filter that's applied when the endpoint is called. The code that sanitizes the input is called by the framework via an annotation

  @GET
  @Path("/task/{taskid}")
  @Produces(MediaType.APPLICATION_JSON)
  @ResourceFilters(TaskResourceFilter.class)
  public Response getTaskPayload(@PathParam("taskid") String taskid)

^ In this example TaskResourceFilter calls TaskIdUtils.validateId("taskId", taskId) which sanitizes the user provided taskid

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/apache/druid/snapshot/ce88d8bc22c39005aa95b1fbb4c8ac6db7cd3a2d/files/indexing-service/src/main/java/org/apache/druid/indexing/common/tasklogs/FileTaskLogs.java?sort=name&dir=ASC&mode=heatmap#xe70f4b4d42e835a0:1

[aschackmull]

Thank you for your report. The mere presence of a @ResourceFilters annotation is likely not enough to rule out a taint source in the general case, but this is something we'll need to investigate further.