我有一个 Spring Boot 应用程序,在调用 AuthorizeRequests() 的行中,我的配置函数出现以下 Sonar 严重缺陷。我应该如何修复它?谢谢。
Make sure that Permissions are controlled safely here. Controlling permissions is security-sensitive.
It has led in the past to the following vulnerabilities:
CVE-2018-12999
CVE-2018-10285
CVE-2017-7455
我的配置类:
@Configuration
@EnableWebSecurity
public class MyConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
.and().httpBasic()
.and().cors();
}
}
最佳答案
我刚刚在 Sonar 中查找了错误描述,下面是 Sonar 中的错误描述。
Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:
- CVE-2018-12999
- CVE-2018-10285
- CVE-2017-7455
Attackers can only damage what they have access to. Thus limiting their access is a good way to prevent them from wreaking havoc, but it has to be done properly.
This rule flags code that controls the access to resources and actions. The goal is to guide security code reviews.
下面是导致 Sonar 问题的代码
.authorizeRequests() // Sonar complain this line here
.antMatchers("/v1/").permitAll()
.antMatchers("/**").authenticated()
正如我在您的问题的评论中提到的,不要盲目授权请求,访问应该受到限制,如下所示
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
如果这是您的测试/非生产代码,只需在提示问题的行添加//NOSONAR, Sonar 将绕过它,但**不要在生产环境中使用//NOSONAR。
关于java - HTTP 安全配置authorizeRequests() 出现 Sonar 严重缺陷,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58529328/