ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3751/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

70 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
A method with a ``++@RequestMapping++`` annotation part of a class annotated with ``++@Controller++`` (directly or indirectly through a meta annotation - ``++@RestController++`` from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is ``++private++``, because Spring invokes such methods via reflection, without checking visibility.
So marking a sensitive method ``++private++`` may seem like a good way to control how such code is called. Unfortunately, not all Spring frameworks ignore visibility in this way. For instance, if you've tried to control web access to your sensitive, ``++private++``, ``++@RequestMapping++`` method by marking it ``++@Secured++`` ... it will still be called, whether or not the user is authorized to access it. That's because AOP proxies are not applied to private methods.
In addition to ``++@RequestMapping++``, this rule also considers the annotations introduced in Spring Framework 4.3: ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@DeleteMapping++``, ``++@PatchMapping++``.
=== Noncompliant code example
[source,java]
----
@RequestMapping("/greet", method = GET)
private String greet(String greetee) { // Noncompliant
----
=== Compliant solution
[source,java]
----
@RequestMapping("/greet", method = GET)
public String greet(String greetee) {
----
== Resources
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make this method non "private".
=== Highlighting
``++protected String methodName++``
'''
== Comments And Links
(visible only on this page)
=== on 14 Oct 2016, 20:21:04 Ann Campbell wrote:
https://sebastian.marsching.com/blog/archives/149-Springs-RequestMapping-annotation-works-on-private-methods.html
=== on 23 Feb 2018, 15:16:32 Alexandre Gigleux wrote:
@Controller = org.springframework.stereotype.Controller
@RestController = org.springframework.web.bind.annotation.RestController
@RequestMapping = org.springframework.web.bind.annotation.RequestMapping
=== on 26 Oct 2020, 17:05:17 Alexandre Gigleux wrote:
I'm changing the severity from Blocker to Major because the vulnerability is not directly exploitable. No CVEs were raised in the past because of this misconfiguration which is also an indicator that the rule should not be a Blocker one.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink