ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4834/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

58 lines
2.9 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
More specifically it will raise issues on the following Spring code:
* The definition of any class implementing interfaces
** ``++org.springframework.security.access.AccessDecisionVoter++``
** ``++org.springframework.security.access.AccessDecisionManager++``
** ``++org.springframework.security.access.AfterInvocationProvider++``
** ``++org.springframework.security.access.PermissionEvaluator++``
** ``++org.springframework.security.access.expression.SecurityExpressionOperations++``
** ``++org.springframework.security.access.expression.method.MethodSecurityExpressionHandler++``
** ``++org.springframework.security.core.GrantedAuthority++``
** ``++org.springframework.security.acls.model.PermissionGrantingStrategy++``
* The definition of any class extending class
** ``++org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration++``
* Any method annotated with
** Pre-post annotations: ``++@PreAuthorize++``, ``++@PreFilter++``, ``++@PostAuthorize++`` or ``++@PostFilter++`` from ``++org.springframework.security.access.prepost++`` package.
** ``++@org.springframework.security.access.annotation.Secured++``
* Calls to any of the following methods
** ``++org.springframework.security.acls.model.MutableAclService++``: ``++createAcl++``, ``++deleteAcl++``, ``++updateAcl++``
** ``++org.springframework.security.config.annotation.web.builders.HttpSecurity++``: ``++authorizeRequests++``
* The instantiation of an anonymous class implementing ``++org.springframework.security.core.GrantedAuthority++`` or of any class implementing this interface directly.
It will also raise issue on JSR-250 annotations ``++@RolesAllowed++``, ``++@PermitAll++`` and ``++@DenyAll++`` from ``++javax.annotation.security++`` package.
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 27 Mar 2019, 10:10:40 Nicolas Harraudeau wrote:
Note: ``++javax.annotation++`` https://github.com/eclipse-ee4j/common-annotations-api/tree/master/src/main/java/javax/annotation/security[moved to eclipse EE4J]. See https://wiki.eclipse.org/New_Maven_Coordinates[Maven mapping].
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink