I have a Spring Boot application, and I'm getting the following SonarQube warning on my method at the line calling getAuthority(). How should I fix it?
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
@Service
public class AuthorizationService implements UserDetailsService {
@Autowired
private MRepository mRepository;
public UserDetails loadUserByUsername(String userId) {
MEntity user = mRepository.findByName(userId);
if (user == null) {
throw new UsernameNotFoundException("Invalid username or password.");
}
return new User(user.getName(), user.getPassword(), getAuthority());
}
private List<SimpleGrantedAuthority> getAuthority() { //here i get the warning
return Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"));
}
Newer versions of SonarQube not only give you code smells, issues and bug-warnings but also Security Hotspots. These are not problems with your code per se.
As the warning later on says:
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
It just means you should take a close look because Sonar has identified a line in your code where Authorities are being granted. This helps reviewers to spot security related code snippets.
SonarQube however can not say wether this code is secure or not. You need to ensure this yourself. It just tells you where to look twice. If this code looks fine to you, you can make this SonarQube isse as "Resolve as Reviewed".
See also the official SonarQube documentation: https://docs.sonarqube.org/latest/user-guide/security-hotspots/