Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
More specifically it will raise issues on the following Spring code:
org.springframework.security.access.AccessDecisionVoter
org.springframework.security.access.AccessDecisionManager
org.springframework.security.access.AfterInvocationProvider
org.springframework.security.access.PermissionEvaluator
org.springframework.security.access.expression.SecurityExpressionOperations
org.springframework.security.access.expression.method.MethodSecurityExpressionHandler
org.springframework.security.core.GrantedAuthority
org.springframework.security.acls.model.PermissionGrantingStrategy
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration
Pre-post annotations: @PreAuthorize
, @PreFilter
, @PostAuthorize
or
@PostFilter
from org.springframework.security.access.prepost
package.
@org.springframework.security.access.annotation.Secured
org.springframework.security.acls.model.MutableAclService
: createAcl
, deleteAcl
,
updateAcl
org.springframework.security.config.annotation.web.builders.HttpSecurity
: authorizeRequests
org.springframework.security.core.GrantedAuthority
or of any class
implementing this interface directly. It will also raise issue on JSR-250 annotations @RolesAllowed
, @PermitAll
and @DenyAll
from
javax.annotation.security
package.
You are at risk if you answered yes to the first question and any of the following ones.
The first step is to restrict all sensitive actions to authenticated users.
Each user should have the lowest privileges possible. The access control granularity should match the sensitivity of each resource or action. The more sensitive it is, the less people should have access to it.
Do not base the access control on a user input or on a value which might have been tampered with. For example, the developer should not read a user's permissions from an HTTP cookie as it can be modified client-side.
Check that the access to each action and resource is properly restricted.
Enable administrators to swiftly remove permissions when necessary. This enables them to reduce the time an attacker can have access to your systems when a breach occurs.
Log and monitor refused access requests as they can reveal an attack.