Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4601

"HttpSecurity" URL patterns should be correctly ordered

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Reorder the URL patterns from most to less specific, the pattern "XXX" should occur before "YYY".
    • Highlighting:
      Hide

      Primary: The antMatchers pattern that is useless.
      Secondary: The previous antMatchers pattern that matches a super set of the useless one.

      Show
      Primary: The antMatchers pattern that is useless. Secondary: The previous antMatchers pattern that matches a super set of the useless one.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Scope:
      Main Sources
    • OWASP:
      A6

      Description

      URL patterns configured on a HttpSecurity.authorizeRequests() method are considered in the order they were declared. It's easy to do a mistake and to declare a less restrictive configuration before a more restrictive one. Therefore, it's required to review the order of the "antMatchers" declarations. The /** one should be the last one if it is declared.

      This rule raises an issue when:

      • A pattern is preceded by another that ends with * and has the same beginning. E.g.: /page-admin/db/* is after /page-admin/**
      • A pattern without wildcard characters is preceded by another that matches. E.g.: /page-index/db is after /page*/**

      Noncompliant Code Example

        protected void configure(HttpSecurity http) throws Exception {
          http.authorizeRequests()
            .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/admin/login").permitAll() // Noncompliant; the pattern "/admin/login" should occurs before "/admin/**"
            .antMatchers("/**", "/home").permitAll()
            .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant; the pattern "/db/**" should occurs before "/**"
            .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
        }
      

      Compliant Solution

        protected void configure(HttpSecurity http) throws Exception {
          http.authorizeRequests()
            .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant
            .antMatchers("/admin/login").permitAll()
            .antMatchers("/admin/**").hasRole("ADMIN") // Compliant
            .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
            .antMatchers("/**", "/home").permitAll() // Compliant; "/**" is the last one
            .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll();
        }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: