2020-06-30 12:49:37 +02:00
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
2020-06-30 14:49:38 +02:00
2020-06-30 12:49:37 +02:00
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
2021-02-02 15:02:10 +01:00
2020-06-30 12:49:37 +02:00
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
2021-02-02 15:02:10 +01:00
2020-06-30 12:49:37 +02:00
More specifically it will raise issues on the following Spring code:
2021-02-02 15:02:10 +01:00
2020-06-30 12:49:37 +02:00
* The definition of any class implementing interfaces
2021-01-27 13:42:22 +01:00
** ``++org.springframework.security.access.AccessDecisionVoter++``
** ``++org.springframework.security.access.AccessDecisionManager++``
** ``++org.springframework.security.access.AfterInvocationProvider++``
** ``++org.springframework.security.access.PermissionEvaluator++``
** ``++org.springframework.security.access.expression.SecurityExpressionOperations++``
** ``++org.springframework.security.access.expression.method.MethodSecurityExpressionHandler++``
** ``++org.springframework.security.core.GrantedAuthority++``
** ``++org.springframework.security.acls.model.PermissionGrantingStrategy++``
2020-06-30 12:49:37 +02:00
* The definition of any class extending class
2021-01-27 13:42:22 +01:00
** ``++org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration++``
2020-06-30 12:49:37 +02:00
* Any method annotated with
2021-01-27 13:42:22 +01:00
** Pre-post annotations: ``++@PreAuthorize++``, ``++@PreFilter++``, ``++@PostAuthorize++`` or ``++@PostFilter++`` from ``++org.springframework.security.access.prepost++`` package.
** ``++@org.springframework.security.access.annotation.Secured++``
2020-06-30 12:49:37 +02:00
* Calls to any of the following methods
2021-01-27 13:42:22 +01:00
** ``++org.springframework.security.acls.model.MutableAclService++``: ``++createAcl++``, ``++deleteAcl++``, ``++updateAcl++``
** ``++org.springframework.security.config.annotation.web.builders.HttpSecurity++``: ``++authorizeRequests++``
* The instantiation of an anonymous class implementing ``++org.springframework.security.core.GrantedAuthority++`` or of any class implementing this interface directly.
2020-06-30 12:49:37 +02:00
2021-01-27 13:42:22 +01:00
It will also raise issue on JSR-250 annotations ``++@RolesAllowed++``, ``++@PermitAll++`` and ``++@DenyAll++`` from ``++javax.annotation.security++`` package.
2020-06-30 12:49:37 +02:00
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::rspecator-view[]
