rspec/rules/S5804/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

In a Spring-security web application the username leaks when:

* The string used as argument of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/userdetails/UserDetailsService.html[loadUserByUsername] method is used in an exception message:

----
public String authenticate(String username, String password) {
  // ....
  MyUserDetailsService s1 = new MyUserDetailsService();
  MyUserPrincipal u1 = s1.loadUserByUsername(username);

  if(u1 == null) {
    throw new BadCredentialsException(username+" doesn't exist in our database"); // Sensitive
  }
  // ....
}
----

* https://docs.spring.io/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/userdetails/UsernameNotFoundException.html[UsernameNotFoundException] is thrown (except when it is in the loadUserByUsername method):

----
public String authenticate(String username, String password) {
  // ....
  if(user == null) {
      throw new UsernameNotFoundException("user not found"); // Sensitive
  }
  // ....
}
----

* https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html#setHideUserNotFoundExceptions-boolean-[HideUserNotFoundExceptions] is set to false:

----
DaoAuthenticationProvider daoauth = new DaoAuthenticationProvider();
daoauth.setUserDetailsService(new MyUserDetailsService());
daoauth.setPasswordEncoder(new BCryptPasswordEncoder()); 
daoauth.setHideUserNotFoundExceptions(false); // Sensitive
builder.authenticationProvider(daoauth);
----

== Compliant Solution

In a Spring-security web application:

* the same message should be used regardless of whether it is the wrong user or password:

----
public String authenticate(String username, String password) throws AuthenticationException {
  Details user = null;
  try {
    user = loadUserByUsername(username);
  } catch (UsernameNotFoundException | DataAccessException e) {
    // Hide this exception reason to not disclose that the username doesn't exist
  }
  if (user == null || !user.isPasswordCorrect(password)) {
     // User should not be able to guess if the bad credentials message is related to the username or the password
    throw new BadCredentialsException("Bad credentials");
  }
}
----

* https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html#setHideUserNotFoundExceptions-boolean-[HideUserNotFoundExceptions] should be set to true:

----
DaoAuthenticationProvider daoauth = new DaoAuthenticationProvider();
daoauth.setUserDetailsService(new MyUserDetailsService());
daoauth.setPasswordEncoder(new BCryptPasswordEncoder()); 
daoauth.setHideUserNotFoundExceptions(true); // Compliant
builder.authenticationProvider(daoauth);
----

include::../see.adoc[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`In a Spring-security web application the username leaks when:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* The string used as argument of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/userdetails/UserDetailsService.html[loadUserByUsername] method is used in an exception message:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`public String authenticate(String username, String password) {`
			`// ....`
			`MyUserDetailsService s1 = new MyUserDetailsService();`
			`MyUserPrincipal u1 = s1.loadUserByUsername(username);`

			`if(u1 == null) {`
			`throw new BadCredentialsException(username+" doesn't exist in our database"); // Sensitive`
			`}`
			`// ....`
			`}`
			`----`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* https://docs.spring.io/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/userdetails/UsernameNotFoundException.html[UsernameNotFoundException] is thrown (except when it is in the loadUserByUsername method):`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`public String authenticate(String username, String password) {`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`// ....`
			`if(user == null) {`
			`throw new UsernameNotFoundException("user not found"); // Sensitive`
			`}`
			`// ....`
			`}`
			`----`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html#setHideUserNotFoundExceptions-boolean-[HideUserNotFoundExceptions] is set to false:`

			`----`
			`DaoAuthenticationProvider daoauth = new DaoAuthenticationProvider();`
			`daoauth.setUserDetailsService(new MyUserDetailsService());`
			`daoauth.setPasswordEncoder(new BCryptPasswordEncoder());`
			`daoauth.setHideUserNotFoundExceptions(false); // Sensitive`
			`builder.authenticationProvider(daoauth);`
			`----`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

			`In a Spring-security web application:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* the same message should be used regardless of whether it is the wrong user or password:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`public String authenticate(String username, String password) throws AuthenticationException {`
			`Details user = null;`
			`try {`
			`user = loadUserByUsername(username);`
			`} catch (UsernameNotFoundException \| DataAccessException e) {`
			`// Hide this exception reason to not disclose that the username doesn't exist`
			`}`
			`if (user == null \|\| !user.isPasswordCorrect(password)) {`
			`// User should not be able to guess if the bad credentials message is related to the username or the password`
			`throw new BadCredentialsException("Bad credentials");`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`}`
			`}`
			`----`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html#setHideUserNotFoundExceptions-boolean-[HideUserNotFoundExceptions] should be set to true:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`DaoAuthenticationProvider daoauth = new DaoAuthenticationProvider();`
			`daoauth.setUserDetailsService(new MyUserDetailsService());`
			`daoauth.setPasswordEncoder(new BCryptPasswordEncoder());`
			`daoauth.setHideUserNotFoundExceptions(true); // Compliant`
			`builder.authenticationProvider(daoauth);`
			`----`

			`include::../see.adoc[]`