The access control of an application must be properly implemented in order to restrict access to resources to authorized entities otherwise this
could lead to vulnerabilities:
Granting correct permissions to users, applications, groups or roles and defining required permissions that allow access to a resource is
sensitive, must therefore be done with care. For instance, it is obvious that only users with administrator privilege should be authorized to
add/remove the administrator permission of another user.
Ask Yourself Whether
- Granted permission to an entity (user, application) allow access to information or functionalities not needed by this entity.
- Privileges are easily acquired (eg: based on the location of the user, type of device used, defined by third parties, does not require approval
…).
- Inherited permission, default permission, no privileges (eg: anonymous user) is authorized to access to a protected resource.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
At minimum, an access control system should:
- Use a well-defined access control model like RBAC or ACL.
- Entities' permissions should be reviewed regularly to remove permissions that are no longer needed.
- Respect the principle of least privilege ("an entity has access
only the information and resources that are necessary for its legitimate purpose").
Sensitive Code Example
CakePHP
use Cake\Auth\BaseAuthorize;
use Cake\Controller\Controller;
abstract class MyAuthorize extends BaseAuthorize { // Sensitive. Method extending Cake\Auth\BaseAuthorize.
// ...
}
// Note that "isAuthorized" methods will only be detected in direct subclasses of Cake\Controller\Controller.
abstract class MyController extends Controller {
public function isAuthorized($user) { // Sensitive. Method called isAuthorized in a Cake\Controller\Controller.
return false;
}
}
See
Deprecated
This rule is deprecated, and will eventually be removed.
