[SONARJAVA-3374] Rule S5804 allowing user enumeration is security-sensitive - SonarSource

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.9
Component/s: Rules
Labels:
None

Description

This rule should raise when:

the argument of loadUserByUsername(String username) is used in the message of any kind of exceptions, see CustomAuthenticationProvider.java file on security-expected-issues for a sensitive example.
setHideUserNotFoundExceptions(boolean) is set to false, setHideUserNotFoundExceptions method exists for these types:
- https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html#setHideUserNotFoundExceptions-boolean-
  and all inherited types:
- https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/authentication/dao/DaoAuthenticationProvider.html
- https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/ldap/authentication/LdapAuthenticationProvider.html
  See WebSecurityConfig.java on security-expected-issues for an example of sensitive ccode

Attachments

Issue Links

contributes to

MMF-2044 Java analyzer detects broken authentication and access control

Closed

implements

RSPEC-5804 Allowing user enumeration is security-sensitive

Active

Activity

People

Assignee:

Margarita Nedzelska

Reporter:

Eric Therond

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Due:

01/Oct/20

Created:

04/May/20 10:40 AM

Updated:

02/Oct/20 2:27 PM

Resolved:

02/Oct/20 2:21 PM