CODEWITHSUNDEEP
sonarquberesteasycode-injectionservlet-filters
guilhermerama
guilhermerama

Reputation: 750

SonarQube Critical Violation asks for filter on rest api web.xml file

The SonarQube hint (rule "Web applications should use validation filters") suggests this compliant solution:

public class ValidatingHttpRequest extends HttpServletRequestWrapper {
  // ...
}

public class ValidationFilter implements javax.servlet.Filter {
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    chain.doFilter(new ValidatingHttpRequest( (HttpServletRequest)request ), response);
  }
}

and in web.xml:

<filter>
    <filter-name>ValidationFilter</filter-name>
    <filter-class>com.myco.servlet.ValidationFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

But I have no clue of what validations are expected here. My code is a rest api (resteasy implementation) and all services are under "/rest/* path. Is this a false positive case?

Upvotes: 0

Views: 1238

Answers (1)

Artur Malinowski
Artur Malinowski

Reputation: 1144

According to the OWASP, injection flaws are one of the top application security risks (link). The basic prevention idea includes automatic validation of all input values using the whitelist approach. In order to implement it in Java EE, OWASP suggests using a custom filter, you can find more details with some restrictive patterns here.

tl;dr: Sonar requires you to filter out some potentially unsafe input characters.

In my opinion, this rule is too general and does not apply to all of the possible applications - it is possible to prevent code injection in many ways.

Upvotes: 1

Related Questions