rspec/rules/S4834/java/rule.adoc

Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]

Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.

More specifically it will raise issues on the following Spring code:

* The definition of any class implementing interfaces
** ``++org.springframework.security.access.AccessDecisionVoter++``
** ``++org.springframework.security.access.AccessDecisionManager++``
** ``++org.springframework.security.access.AfterInvocationProvider++``
** ``++org.springframework.security.access.PermissionEvaluator++``
** ``++org.springframework.security.access.expression.SecurityExpressionOperations++``
** ``++org.springframework.security.access.expression.method.MethodSecurityExpressionHandler++``
** ``++org.springframework.security.core.GrantedAuthority++``
** ``++org.springframework.security.acls.model.PermissionGrantingStrategy++``
* The definition of any class extending class
** ``++org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration++``
* Any method annotated with
** Pre-post annotations: ``++@PreAuthorize++``, ``++@PreFilter++``, ``++@PostAuthorize++`` or ``++@PostFilter++`` from ``++org.springframework.security.access.prepost++`` package.
** ``++@org.springframework.security.access.annotation.Secured++``
* Calls to any of the following methods
** ``++org.springframework.security.acls.model.MutableAclService++``: ``++createAcl++``, ``++deleteAcl++``, ``++updateAcl++``
** ``++org.springframework.security.config.annotation.web.builders.HttpSecurity++``: ``++authorizeRequests++``
* The instantiation of an anonymous class implementing ``++org.springframework.security.core.GrantedAuthority++`` or of any class implementing this interface directly.

It will also raise issue on JSR-250 annotations ``++@RolesAllowed++``, ``++@PermitAll++`` and ``++@DenyAll++`` from ``++javax.annotation.security++`` package.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]`

			`Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.`
			`This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.`

			`More specifically it will raise issues on the following Spring code:`

			`* The definition of any class implementing interfaces`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			** ``++org.springframework.security.access.AccessDecisionVoter++``
			** ``++org.springframework.security.access.AccessDecisionManager++``
			** ``++org.springframework.security.access.AfterInvocationProvider++``
			** ``++org.springframework.security.access.PermissionEvaluator++``
			** ``++org.springframework.security.access.expression.SecurityExpressionOperations++``
			** ``++org.springframework.security.access.expression.method.MethodSecurityExpressionHandler++``
			** ``++org.springframework.security.core.GrantedAuthority++``
			** ``++org.springframework.security.acls.model.PermissionGrantingStrategy++``
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* The definition of any class extending class`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			** ``++org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration++``
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* Any method annotated with`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			** Pre-post annotations: ``++@PreAuthorize++``, ``++@PreFilter++``, ``++@PostAuthorize++`` or ``++@PostFilter++`` from ``++org.springframework.security.access.prepost++`` package.
			** ``++@org.springframework.security.access.annotation.Secured++``
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* Calls to any of the following methods`
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			** ``++org.springframework.security.acls.model.MutableAclService++``: ``++createAcl++``, ``++deleteAcl++``, ``++updateAcl++``
			** ``++org.springframework.security.config.annotation.web.builders.HttpSecurity++``: ``++authorizeRequests++``
			* The instantiation of an anonymous class implementing ``++org.springframework.security.core.GrantedAuthority++`` or of any class implementing this interface directly.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			It will also raise issue on JSR-250 annotations ``++@RolesAllowed++``, ``++@PermitAll++`` and ``++@DenyAll++`` from ``++javax.annotation.security++`` package.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`include::../see.adoc[]`