I have a Rest API developed in Java. I am using Enums as my request parameters lets say Gender is one of the Enum and say possible values of Gender are M,F I understand that requestParametrs are user controlled.Sonar is complaining that it is tainted and I need to sanitize the input.
I am failing to understand how an Enum can be tainted and why its posing a risk. We can’t pass any random values to an Enum.
Looking forward to your suggestions.
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
GenderEnum genderId) { // genderID is tainted as its controlled by User input
SomeObject param = new SomeObject();
param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
//Lets assume you make some call to DB
String result=dbCall(genderId); //This is tainted too
return "Hello"+genderId; //Result is also tainted as its also using Non-santized input
}
any wrong values to Enum will give you HTTP 400 Bad Request which is perfectly fine.
The above Enum issue will be fixed in a future release of sonar. I will comment here once I get more information.