I have a spring boot application that I am getting the following Sonar Critical defect on my configuration function at the line calling authorizeRequests(). How should I fix it? Thanks.
Make sure that Permissions are controlled safely here. Controlling permissions is security-sensitive.
It has led in the past to the following vulnerabilities:
CVE-2018-12999
CVE-2018-10285
CVE-2017-7455
My Configuration class:
@Configuration
@EnableWebSecurity
public class MyConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
.and().httpBasic()
.and().cors();
}
}
I just looked up the error description in sonar, and below is the description of error as per sonar.
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
- CVE-2018-12999
- CVE-2018-10285
- CVE-2017-7455
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
Below is the code which is causing sonar issue
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
As I mentioned in comments of your question, don't blindly authorize the requests, access should be restrictive something like below
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
If this is your test/non-production code just add //NOSONAR at line it's complaining issue, sonar will bypass this but **Don't use //NOSONAR in the production environment.