[SONARJAVA-3396] Rule S5808 Authorizations should be based on strong decisions - SonarSource

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.9
Component/s: Rules
Labels:
None

Description

Implements: https://jira.sonarsource.com/browse/RSPEC-5809

Should raise when:

a Vote method implementation of the AccessDecisionVoter interface doesn't return ACCESS_DENIED

a hasPermission method implementation of the PermissionEvaluator interface doesn't return false

Exceptions:

To avoid FPs, should not raise when there is only one "complex"(not primitive) return:

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant
        return complexFunction(targetDomainObject, permission); 
    }

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Noncompliant
       return true;
    }

@Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { // Compliant
        if(targetDomainObject == "toto") {
            return complexFunction(targetDomainObject, permission); 
        }

       return true; // Also compliant if return false
    }

Attachments

Issue Links

contributes to

MMF-2044 Java analyzer detects broken authentication and access control

Closed

implements

RSPEC-5808 Authorizations should be based on strong decisions

Active

Activity

People

Assignee:

Quentin Jaquier

Reporter:

Eric Therond

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Due:

02/Oct/20

Created:

14/May/20 12:10 PM

Updated:

30/Sep/20 10:16 AM

Resolved:

30/Sep/20 10:16 AM