PreAuthorized security hotspots

lnoel · January 29, 2021, 10:52am

Hello,

I have scanned my application and I have some security hotspots about PreAuthorized annotation use.
Secured annotation creates a security hotspots too.
I don’t need more control permissions in my application than PreAuthorize annotation.

So, do you have an idea to erase these security hotspots ?
Piece of code :

@ PostMapping
@ ApiOperation(value = “Get all the auditTrails”, authorizations = { @ Authorization(value = “auth-token”) })
@ PreAuthorize(“hasPermission(null, ‘All’) OR hasPermission(null, ‘IngesterActivityReadWrite’)”)
@ AuditAction(action = ServiceProviderConstants.Audit.Action.GET_ALL, resource = “AuditTrails”)

Thank you

Jeff_Zapotoczny · January 29, 2021, 8:42pm

Hi @lnoel,

Looks like you’re talking about rule java:S4834.

I’d suggest you study the rule documentation to be sure you truly don’t need it in your application. If you think it might be valuable to review other cases this rule covers, consider using the ability to ignore issues in certain files or blocks to kill the noise. If you truly don’t need the review suggested by this hotspot at all, then you can deactivate the rule in a custom Quality Profile.

lnoel · January 29, 2021, 10:02pm

Thank you for your answer.

If I understand, there is no other option that deactivate the rule ?
I need security hotspots scan but I dont’ find, how fix differents issues with PreAuthorize annotation?

Do you have a solution to fix it ?

Thank you

Jeff_Zapotoczny · January 29, 2021, 10:38pm

Hi again,

I think I misunderstood your initial question. I thought you were asking how to not have the security hotspots reported at all for such code.

To be clear, are you asking how you can go about fixing them in the example code you supplied?

lnoel · January 30, 2021, 1:28pm

Hello !
Sorry, maybe my english is not so good .
You right !
I want to fix them !

Jeff_Zapotoczny · February 1, 2021, 8:26pm

Is there a problem with this use of @PreAuthorize? I cannot tell because I do not know the context of the code. If you don’t need to actually make a code change to fix a security risk here, you may mark the security hotspot as safe using the Security Hotspots tab in your project by clicking the large Status: To Review button and changing the value of the status to Safe.

If you think the use of the annotation here is risky, you’ll have to decide which change to make in the code yourself.

lnoel · February 2, 2021, 8:05am

I know that, but @PreAuthorize is not secured enough ?
Why @PreAuthorized is a security hotspots ?
It is a secured annotation from Spring, but in Sonar it is a security hotspots…

Maybe, is it normal to have a security hotspots on @PreAuthorized ?

Finally, I just want an idea, how to fix that security hotspot !

Thank you

eric.therond · February 2, 2021, 9:59am

Hello @lnoel

The security-hotspot java:S4834 is “a generic rule” which raises on all methods used to control authorizations of a web application, the idea is to encourage you to check if the permissions set up are good or not.

So you are right, there is nothing wrong when using @PreAuthorize annotation by itself, it’s just a way to incite you to do a review. At the same time, we recently worked on more precise rules for Java related to access control, so maybe S4834 can be deprecated in favor of this new rules. We will let you know.

Eric

lnoel · February 2, 2021, 1:21pm

Hello,

Okay. These security hotspots are just Warning.

Thank you, both of you for your help

system · February 9, 2021, 1:22pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.