在 HTTP 安全配置 authorizeRequests() 上获取 Sonar 严重缺陷
Getting Sonar Critical defect on HTTP Security Configuration authorizeRequests()
我有一个 spring 启动应用程序,我在调用 authorizeRequests() 的行中的配置函数中遇到以下 Sonar 严重缺陷。我该如何解决?谢谢
Make sure that Permissions are controlled safely here. Controlling permissions is security-sensitive.
It has led in the past to the following vulnerabilities:
CVE-2018-12999
CVE-2018-10285
CVE-2017-7455
我的配置class:
@Configuration
@EnableWebSecurity
public class MyConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
.and().httpBasic()
.and().cors();
}
}
刚查了一下sonar的错误描述,下面是按照sonar的错误描述。
Controlling permissions is security-sensitive. It has led in the past
to the following vulnerabilities:
- CVE-2018-12999
- CVE-2018-10285
- CVE-2017-7455
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and
actions. The goal is to guide security code reviews.
下面是导致声纳问题的代码
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
正如我在你的问题的评论中提到的,不要盲目授权请求,访问应该像下面这样受到限制
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
如果这是您的 test/non-production 代码,只需在抱怨问题的行中添加 //NOSONAR,声纳将绕过它,但**不要在生产环境中使用 //NOSONAR。
我有一个 spring 启动应用程序,我在调用 authorizeRequests() 的行中的配置函数中遇到以下 Sonar 严重缺陷。我该如何解决?谢谢
Make sure that Permissions are controlled safely here. Controlling permissions is security-sensitive.
It has led in the past to the following vulnerabilities:
CVE-2018-12999
CVE-2018-10285
CVE-2017-7455
我的配置class:
@Configuration
@EnableWebSecurity
public class MyConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
.and().httpBasic()
.and().cors();
}
}
刚查了一下sonar的错误描述,下面是按照sonar的错误描述。
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
- CVE-2018-12999
- CVE-2018-10285
- CVE-2017-7455
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
下面是导致声纳问题的代码
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
正如我在你的问题的评论中提到的,不要盲目授权请求,访问应该像下面这样受到限制
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
如果这是您的 test/non-production 代码,只需在抱怨问题的行中添加 //NOSONAR,声纳将绕过它,但**不要在生产环境中使用 //NOSONAR。