SONARJAVA-4680 Add @AuthenticationPrincipal as an exception to the ru…

…le (#4503)
SonarSource · Oct 26, 2023 · dfbe32b · dfbe32b
1 parent fa86685
commit dfbe32b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/...test-sources/src/main/java/checks/spring/PersistentEntityUsedAsRequestParameterCheck.java b/...test-sources/src/main/java/checks/spring/PersistentEntityUsedAsRequestParameterCheck.java
@@ -5,6 +5,7 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import org.springframework.data.mongodb.core.mapping.Document;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Component;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -50,6 +51,16 @@ public class Baz {
   @Controller
   class FooController {
 
+    @Entity
+    abstract class User implements UserDetails {
+      String username;
+      // ...
+    }
+    @GetMapping("/greet")
+    public void greet(@org.springframework.security.core.annotation.AuthenticationPrincipal User user) {
+      // do something with User
+    }
+
     @RequestMapping(path = "/foo", method = RequestMethod.POST)
     public void foo1(Foo foo) { // Noncompliant [[sc=26;ec=29]] {{Replace this persistent entity with a simple POJO or DTO object.}}
     }

diff --git a/...c/main/java/org/sonar/java/checks/spring/PersistentEntityUsedAsRequestParameterCheck.java b/...c/main/java/org/sonar/java/checks/spring/PersistentEntityUsedAsRequestParameterCheck.java
@@ -36,6 +36,11 @@ public List<Tree.Kind> nodesToVisit() {
     return Collections.singletonList(Tree.Kind.METHOD);
   }
 
+  private static final List<String> PARAMETER_ANNOTATION_EXCEPTIONS = List.of(
+    "org.springframework.web.bind.annotation.PathVariable",
+    "org.springframework.security.core.annotation.AuthenticationPrincipal"
+  );
+
   private static final List<String> REQUEST_ANNOTATIONS = List.of(
     "org.springframework.web.bind.annotation.RequestMapping",
     "org.springframework.web.bind.annotation.GetMapping",
@@ -51,8 +56,6 @@ public List<Tree.Kind> nodesToVisit() {
     "org.springframework.data.elasticsearch.annotations.Document"
   );
 
-  private static final String PATH_VARIABLE_ANNOTATION = "org.springframework.web.bind.annotation.PathVariable";
-
   private static final String JSON_CREATOR_ANNOTATION = "com.fasterxml.jackson.annotation.JsonCreator";
 
   @Override
@@ -62,7 +65,7 @@ public void visitNode(Tree tree) {
 
     if (isRequestMappingAnnotated(methodSymbol)) {
       methodTree.parameters().stream()
-        .filter(PersistentEntityUsedAsRequestParameterCheck::hasNoPathVariableAnnotation)
+        .filter(PersistentEntityUsedAsRequestParameterCheck::hasNoAllowedAnnotations)
         .filter(PersistentEntityUsedAsRequestParameterCheck::isPersistentEntity)
         .filter(PersistentEntityUsedAsRequestParameterCheck::hasNoCustomSerialization)
         .forEach(p -> reportIssue(p.simpleName(), "Replace this persistent entity with a simple POJO or DTO object."));
@@ -77,8 +80,8 @@ private static boolean isPersistentEntity(VariableTree variableTree) {
     return ENTITY_ANNOTATIONS.stream().anyMatch(variableTree.type().symbolType().symbol().metadata()::isAnnotatedWith);
   }
 
-  private static boolean hasNoPathVariableAnnotation(VariableTree variableTree) {
-    return !variableTree.symbol().metadata().isAnnotatedWith(PATH_VARIABLE_ANNOTATION);
+  private static boolean hasNoAllowedAnnotations(VariableTree variableTree) {
+    return PARAMETER_ANNOTATION_EXCEPTIONS.stream().noneMatch(variableTree.symbol().metadata()::isAnnotatedWith);
   }
 
   private static boolean hasNoCustomSerialization(VariableTree variableTree) {