SONARJAVA-4880 S5804: Support detection of User Enumeration for Spring (#4753)

leonardo-pilastri-sonarsource · web-flow · commit b49599b16ee8 · 2024-04-03T16:36:57.000+02:00
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S5804.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S5804.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S5804",
   "hasTruePositives": false,
-  "falseNegatives": 9,
+  "falseNegatives": 11,
   "falsePositives": 0
-}
+}
diff --git a/java-checks-test-sources/default/pom.xml b/java-checks-test-sources/default/pom.xml
@@ -206,6 +206,11 @@
       <type>jar</type>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-ldap</artifactId>
+      <version>6.2.3</version>
+    </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-aop</artifactId>
diff --git a/java-checks-test-sources/default/src/main/java/checks/security/UserEnumerationCheck.java b/java-checks-test-sources/default/src/main/java/checks/security/UserEnumerationCheck.java
@@ -12,6 +12,7 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 
 public class UserEnumerationCheck {
 
@@ -93,6 +94,13 @@ public void config() {
     throw new UsernameNotFoundException("userName not found"); // Noncompliant
   }
 
+  void ldap(LdapAuthenticationProvider ldapAuthenticationProvider) {
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(false); // Noncompliant
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(MY_CONSTANT); // Noncompliant
+    boolean variableFalse = false;
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(variableFalse); // Compliant, not a constant
+  }
+
   public void compliantConfig() {
     boolean b = false;
 
diff --git a/java-checks/src/main/java/org/sonar/java/checks/security/UserEnumerationCheck.java b/java-checks/src/main/java/org/sonar/java/checks/security/UserEnumerationCheck.java
@@ -41,6 +41,7 @@ public class UserEnumerationCheck extends IssuableSubscriptionVisitor {
 
   private static final String MESSAGE = "Make sure allowing user enumeration is safe here.";
   private static final String ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER = "org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider";
+  private static final String SPRING_SEC_LDAP_AUTHENTICATION_PROVIDER = "org.springframework.security.ldap.authentication.LdapAuthenticationProvider";
   private static final String USER_DETAILS_SERVICE = "org.springframework.security.core.userdetails.UserDetailsService";
   private static final String USERNAME_NOT_FOUND_EXCEPTION = "org.springframework.security.core.userdetails.UsernameNotFoundException";
   private static final String HIDE_USER_NOT_FOUND_EXCEPTIONS = "setHideUserNotFoundExceptions";
@@ -52,7 +53,7 @@ public class UserEnumerationCheck extends IssuableSubscriptionVisitor {
   private final Deque<MethodTree> stack = new ArrayDeque<>();
 
   private static final MethodMatchers SET_HIDE_USER_MATCHER = MethodMatchers.create()
-    .ofSubTypes(ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER)
+    .ofSubTypes(ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER, SPRING_SEC_LDAP_AUTHENTICATION_PROVIDER)
     .names(HIDE_USER_NOT_FOUND_EXCEPTIONS)
     .addParametersMatcher(BOOLEAN)
     .build();

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"ruleKey": "S5804",`
`3`	`3`	`"hasTruePositives": false,`
`4`		`- "falseNegatives": 9,`
	`4`	`+ "falseNegatives": 11,`
`5`	`5`	`"falsePositives": 0`
`6`		`-}`
	`6`	`+}`