2

We are currently working on web application with persistence layer implemented using Spring data JPA and its working out really well for us however while scanning our code using checkmarx it complains for "Improper Resource Access Authorization" error for all input parameter in below code snippet.Not sure how to resolve it.Based of my understanding we tried following approach but that didn't help either

  • Whitelist input parameter using using @valid and @Pattern annotations

  • Secure method using @Secured("ROLE_TEST") annotation of spring security.

    @Repository
public interface EmployeeAddressRepository extends JpaRepository<EmployeeAddress, Integer> {

  @Query("select empAdd from EmployeeAddress empAdd where empAdd.Employee.employeeId=?1 and (endDate) ORDER BY empAdd.lastUpdateTimeStamp DESC")
  List<EmployeeAddress> findEmployeeAddressByEmployeeId(String employeeId, LocalDate date) throws PersistenceException;
}

Looking forward for any pointer here to move forward in right direction

Gautam
  • 3,276
  • 4
  • 31
  • 53

2 Answers2

3

In the comments for one of the other answers someone provided the answer. Essentially Checkmarx is unable to determine if you are checking if the user/service has permission to execute this command.

A secure implementation would look like:

if(userCanPerformAction(employeeId)){
   repository.findEmployeeAddressByEmployeeId(employeeId, date)
}

It's not smart enough to know if your code prior to the call to the repository has actually performed the checks needed. So, what you have to do is verify that you are doing the correct validation checks before executing findEmployeeAddressByEmployeeId. If you are, then you would follow your organizations process for marking something as a false positive.

Cory
  • 196
  • 2
  • 8
0

Perhaps Checkmarx doesn't support ordinal parameters notation, try rewriting the query like so:

@Query("select empAdd from EmployeeAddress empAdd where empAdd.Employee.employeeId= :empId and (endDate) ORDER BY empAdd.lastUpdateTimeStamp DESC", employeeIdParameter)

where employeeIdParameter is the input parameter.

Hope this helps, Amit

SHR
  • 7,940
  • 9
  • 38
  • 57
Amit Finegold
  • 24
  • 1
  • I need to see the attack vector to understand more. If you like we can have a short webex meeting and I can try to assist you. You can write to me here: amit.finegold@gmail.com – Amit Finegold Jan 20 '20 at 08:40
  • we would then post the resolution here for everyone to see. – Amit Finegold Jan 20 '20 at 08:40
  • Thanks for offering help. I have shared required information over email. – Gautam Jan 21 '20 at 09:14
  • I am facing the same issue. Do you guys have a solution for this? – codersingh Apr 20 '20 at 15:21
  • @Amit Finegold can you please share your inputs on this – Gautam Apr 30 '20 at 16:24
  • Hi @Gautam, When Checkmarx flags code as "Improper Resource Access Authorization" it means that the code is accessing a resource without performing a check if the user is authorized. Checkmarx identifies checks as "if" statements. If your system is performing access control before this Select is performed, you should show this to your security team and ask the to mark the result as false positive. Otherwise, you can add an authorization check like this: if( canReadEmpData(user) ){ @Query("select empAdd from.."} and the Checkmarx scan will then remove this warning. Hope this helps :) – Amit Finegold May 03 '20 at 08:43
  • @AmitFinegold - Thanks alot for your help. – Gautam May 04 '20 at 16:03
  • @AmitFinegold - Welcome to Stackoverflow! You first Answer :) – Gautam May 04 '20 at 16:26