rspec/rules/S3751/java/rule.adoc

A method with a ``++@RequestMapping++`` annotation part of a class annotated with ``++@Controller++`` (directly or indirectly through a meta annotation - ``++@RestController++`` from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is ``++private++``, because Spring invokes such methods via reflection, without checking visibility. 


So marking a sensitive method ``++private++`` may seem like a good way to control how such code is called. Unfortunately, not all Spring frameworks ignore visibility in this way. For instance, if you've tried to control web access to your sensitive, ``++private++``, ``++@RequestMapping++`` method by marking it ``++@Secured++`` ... it will still be called, whether or not the user is authorized to access it. That's because AOP proxies are not applied to non-public methods.


In addition to ``++@RequestMapping++``, this rule also considers the annotations introduced in Spring Framework 4.3: ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@DeleteMapping++``, ``++@PatchMapping++``.


== Noncompliant Code Example

----
@RequestMapping("/greet", method = GET)
private String greet(String greetee) {  // Noncompliant
----


== Compliant Solution

----
@RequestMapping("/greet", method = GET)
public String greet(String greetee) {
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration


ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			A method with a ``++@RequestMapping++`` annotation part of a class annotated with ``++@Controller++`` (directly or indirectly through a meta annotation - ``++@RestController++`` from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is ``++private++``, because Spring invokes such methods via reflection, without checking visibility.


			So marking a sensitive method ``++private++`` may seem like a good way to control how such code is called. Unfortunately, not all Spring frameworks ignore visibility in this way. For instance, if you've tried to control web access to your sensitive, ``++private++``, ``++@RequestMapping++`` method by marking it ``++@Secured++`` ... it will still be called, whether or not the user is authorized to access it. That's because AOP proxies are not applied to non-public methods.


			In addition to ``++@RequestMapping++``, this rule also considers the annotations introduced in Spring Framework 4.3: ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@DeleteMapping++``, ``++@PatchMapping++``.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`@RequestMapping("/greet", method = GET)`
			`private String greet(String greetee) { // Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`@RequestMapping("/greet", method = GET)`
			`public String greet(String greetee) {`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`