rspec/rules/S4834/java/rule.adoc

Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]

Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.

More specifically it will raise issues on the following Spring code:

* The definition of any class implementing interfaces
    ** <code>org.springframework.security.access.AccessDecisionVoter</code>
    ** <code>org.springframework.security.access.AccessDecisionManager</code>
    ** <code>org.springframework.security.access.AfterInvocationProvider</code>
    ** <code>org.springframework.security.access.PermissionEvaluator</code>
    ** <code>org.springframework.security.access.expression.SecurityExpressionOperations</code>
    ** <code>org.springframework.security.access.expression.method.MethodSecurityExpressionHandler</code>
    ** <code>org.springframework.security.core.GrantedAuthority</code>
    ** <code>org.springframework.security.acls.model.PermissionGrantingStrategy</code>
* The definition of any class extending class
    ** <code>org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration</code>
* Any method annotated with
    ** Pre-post annotations: <code>@PreAuthorize</code>, <code>@PreFilter</code>, <code>@PostAuthorize</code> or <code>@PostFilter</code> from <code>org.springframework.security.access.prepost</code> package.
    ** <code>@org.springframework.security.access.annotation.Secured</code>
* Calls to any of the following methods
    ** <code>org.springframework.security.acls.model.MutableAclService</code>: <code>createAcl</code>, <code>deleteAcl</code>, <code>updateAcl</code>
    ** <code>org.springframework.security.config.annotation.web.builders.HttpSecurity</code>: <code>authorizeRequests</code>
* The instantiation of an anonymous class implementing <code>org.springframework.security.core.GrantedAuthority</code> or of any class implementing this interface directly.

It will also raise issue on JSR-250 annotations <code>@RolesAllowed</code>, <code>@PermitAll</code> and <code>@DenyAll</code> from <code>javax.annotation.security</code> package.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]`

			`Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.`
			`This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.`

			`More specifically it will raise issues on the following Spring code:`

			`* The definition of any class implementing interfaces`
			`** <code>org.springframework.security.access.AccessDecisionVoter</code>`
			`** <code>org.springframework.security.access.AccessDecisionManager</code>`
			`** <code>org.springframework.security.access.AfterInvocationProvider</code>`
			`** <code>org.springframework.security.access.PermissionEvaluator</code>`
			`** <code>org.springframework.security.access.expression.SecurityExpressionOperations</code>`
			`** <code>org.springframework.security.access.expression.method.MethodSecurityExpressionHandler</code>`
			`** <code>org.springframework.security.core.GrantedAuthority</code>`
			`** <code>org.springframework.security.acls.model.PermissionGrantingStrategy</code>`
			`* The definition of any class extending class`
			`** <code>org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration</code>`
			`* Any method annotated with`
			`** Pre-post annotations: <code>@PreAuthorize</code>, <code>@PreFilter</code>, <code>@PostAuthorize</code> or <code>@PostFilter</code> from <code>org.springframework.security.access.prepost</code> package.`
			`** <code>@org.springframework.security.access.annotation.Secured</code>`
			`* Calls to any of the following methods`
			`** <code>org.springframework.security.acls.model.MutableAclService</code>: <code>createAcl</code>, <code>deleteAcl</code>, <code>updateAcl</code>`
			`** <code>org.springframework.security.config.annotation.web.builders.HttpSecurity</code>: <code>authorizeRequests</code>`
			`* The instantiation of an anonymous class implementing <code>org.springframework.security.core.GrantedAuthority</code> or of any class implementing this interface directly.`

			`It will also raise issue on JSR-250 annotations <code>@RolesAllowed</code>, <code>@PermitAll</code> and <code>@DenyAll</code> from <code>javax.annotation.security</code> package.`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`include::../see.adoc[]`