ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4834/java/rule.adoc
Arseniy Zaostrovnykh 4a8f474810 fix the nested lists and quotes
2021-01-06 17:38:34 +01:00

38 lines
2.3 KiB
Plaintext
Raw Blame History

Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
More specifically it will raise issues on the following Spring code:
* The definition of any class implementing interfaces
** ``org.springframework.security.access.AccessDecisionVoter``
** ``org.springframework.security.access.AccessDecisionManager``
** ``org.springframework.security.access.AfterInvocationProvider``
** ``org.springframework.security.access.PermissionEvaluator``
** ``org.springframework.security.access.expression.SecurityExpressionOperations``
** ``org.springframework.security.access.expression.method.MethodSecurityExpressionHandler``
** ``org.springframework.security.core.GrantedAuthority``
** ``org.springframework.security.acls.model.PermissionGrantingStrategy``
* The definition of any class extending class
** ``org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration``
* Any method annotated with
** Pre-post annotations: ``@PreAuthorize``, ``@PreFilter``, ``@PostAuthorize`` or ``@PostFilter`` from ``org.springframework.security.access.prepost`` package.
** ``@org.springframework.security.access.annotation.Secured``
* Calls to any of the following methods
** ``org.springframework.security.acls.model.MutableAclService``: ``createAcl``, ``deleteAcl``, ``updateAcl``
** ``org.springframework.security.config.annotation.web.builders.HttpSecurity``: ``authorizeRequests``
* The instantiation of an anonymous class implementing ``org.springframework.security.core.GrantedAuthority`` or of any class implementing this interface directly.
It will also raise issue on JSR-250 annotations ``@RolesAllowed``, ``@PermitAll`` and ``@DenyAll`` from ``javax.annotation.security`` package.
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
include::../see.adoc[]
Reference in New Issue View Git Blame Copy Permalink