2

I am getting below medium vulnerability highlighted in checkmarx:

The rModificationRequest at r-config\com\mycompapi\RController.java in line# may unintentionally allow setting the value of saveAndFlush in modifyR, in the object r-config\com\mycompservices\RService.java at line#.

@RestController
@RequestMapping(path = "/api/v1/r", produces = MediaType.APPLICATION_JSON_VALUE)
@Api(tags = "R", value = "Endpoints for managing all the operations related to r")
@Slf4j
@Validated
public class RController {
    private final RService rService;
    private final ModelMapper modelMapper;
    
    @Autowired
    public RController(final RService rService,
                               final ModelMapper modelMapper) {
        this.rService = rService;
        this.modelMapper = modelMapper;
    }

    @ApiOperation(value = "Modify r information", nickname = "modifyR")
    @PatchMapping
    @ResponseStatus(HttpStatus.OK)
    public RResponse modifyRInfo(
            @RequestParam(name = "r-name") @NotBlank
            @Size(max = 256, message = "r name should have less than or equals to {max} characters") final String rName,
            @Valid @RequestBody RModificationRequest rModificationRequest) {

        final RModificationDto rModificationDto = modelMapper.map(rModificationRequest,
                                                                                  RModificationDto.class);

        final R r = rService.modifyR(rName, rModificationDto);

        return modelMapper.map(r, RResponse.class);
    }
}

@Service
public class RService {

    private final RRepository rRepository;

    @Autowired
    public RService(final RRepository rRepository) {

        this.rRepository = rRepository;
    }
    
    @Transactional
    @PublishNotification(operationType = OperationType.MODIFY)
    public R modifyR(final String rName, final RModificationDto rModificationDto) {

        final R r = findByRName(rName);
        final R modifiedR = RServiceHelper.getModifiedR(r, rModificationDto);
        rRepository.saveAndFlush(modifiedR);
        return modifiedR;
    }

What to do here or is it false positive? I don't see any comment also of what to do like sonar-cube scans have or may be its somewhere I don't know - I am new to checkmarx.

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
nanosoft
  • 2,913
  • 4
  • 41
  • 61
  • "*at line#.*" is that the real text of the error, as opposed to some transcription error you've introduced? It doesn't have a line number? – Michael May 11 '21 at 14:16
  • You should include the name of the query that is reporting the issue. There is a (?) link next to the name of the query that usually describes the issue and what to do about it. The basic gist of the report is that you have an untrusted value received in rModificationRequest that makes a change to the DB. No validation or sanitization of the untrusted value will usually trigger these types of issues. – NathanL May 11 '21 at 21:28

0 Answers0