49 lines
2.6 KiB
Plaintext
49 lines
2.6 KiB
Plaintext
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12999[CVE-2018-12999]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10285[CVE-2018-10285]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7455[CVE-2017-7455]
|
|
|
|
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
|
|
|
|
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
|
|
|
|
|
|
More specifically it will raise issues on the following Spring code:
|
|
|
|
|
|
* The definition of any class implementing interfaces
|
|
** ``++org.springframework.security.access.AccessDecisionVoter++``
|
|
** ``++org.springframework.security.access.AccessDecisionManager++``
|
|
** ``++org.springframework.security.access.AfterInvocationProvider++``
|
|
** ``++org.springframework.security.access.PermissionEvaluator++``
|
|
** ``++org.springframework.security.access.expression.SecurityExpressionOperations++``
|
|
** ``++org.springframework.security.access.expression.method.MethodSecurityExpressionHandler++``
|
|
** ``++org.springframework.security.core.GrantedAuthority++``
|
|
** ``++org.springframework.security.acls.model.PermissionGrantingStrategy++``
|
|
* The definition of any class extending class
|
|
** ``++org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration++``
|
|
* Any method annotated with
|
|
** Pre-post annotations: ``++@PreAuthorize++``, ``++@PreFilter++``, ``++@PostAuthorize++`` or ``++@PostFilter++`` from ``++org.springframework.security.access.prepost++`` package.
|
|
** ``++@org.springframework.security.access.annotation.Secured++``
|
|
* Calls to any of the following methods
|
|
** ``++org.springframework.security.acls.model.MutableAclService++``: ``++createAcl++``, ``++deleteAcl++``, ``++updateAcl++``
|
|
** ``++org.springframework.security.config.annotation.web.builders.HttpSecurity++``: ``++authorizeRequests++``
|
|
* The instantiation of an anonymous class implementing ``++org.springframework.security.core.GrantedAuthority++`` or of any class implementing this interface directly.
|
|
|
|
It will also raise issue on JSR-250 annotations ``++@RolesAllowed++``, ``++@PermitAll++`` and ``++@DenyAll++`` from ``++javax.annotation.security++`` package.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|