Reputation: 3384
Spring data JPA Checkmarx vulnerability- Improper Resource Access Authorization for @Query annotation
We are currently working on web application with persistence layer implemented using Spring data JPA and its working out really well for us however while scanning our code using checkmarx it complains for "Improper Resource Access Authorization" error for all input parameter in below code snippet.Not sure how to resolve it.Based of my understanding we tried following approach but that didn't help either
- Whitelist input parameter using using
@validand@Patternannotations Secure method using
@Secured("ROLE_TEST")annotation of spring security.@Repository public interface EmployeeAddressRepository extends JpaRepository<EmployeeAddress, Integer> { @Query("select empAdd from EmployeeAddress empAdd where empAdd.Employee.employeeId=?1 and (endDate) ORDER BY empAdd.lastUpdateTimeStamp DESC") List<EmployeeAddress> findEmployeeAddressByEmployeeId(String employeeId, LocalDate date) throws PersistenceException; }
Looking forward for any pointer here to move forward in right direction
Upvotes: 2
Views: 5858
Answers (2)
Reputation: 305
In the comments for one of the other answers someone provided the answer. Essentially Checkmarx is unable to determine if you are checking if the user/service has permission to execute this command.
A secure implementation would look like:
if(userCanPerformAction(employeeId)){
repository.findEmployeeAddressByEmployeeId(employeeId, date)
}
It's not smart enough to know if your code prior to the call to the repository has actually performed the checks needed. So, what you have to do is verify that you are doing the correct validation checks before executing findEmployeeAddressByEmployeeId. If you are, then you would follow your organizations process for marking something as a false positive.
Upvotes: 3
Reputation: 24
Perhaps Checkmarx doesn't support ordinal parameters notation, try rewriting the query like so:
@Query("select empAdd from EmployeeAddress empAdd where empAdd.Employee.employeeId= :empId and (endDate) ORDER BY empAdd.lastUpdateTimeStamp DESC", employeeIdParameter)
where employeeIdParameter is the input parameter.
Hope this helps, Amit
Upvotes: 0
Related Questions
- SQL Injection Prevention in Spring Boot
- Unknown Source when querying database with JPA
- Checkmarx report sql injection JpaRepository
- Query annotation is disallowed for this location
- @Query not working with QueryDSL predicate
- JPA Query gets error InvalidDataAccessResourceUsageException
- Spring 4 Rest @Query annotation not working with security Principal
- Error when using @Query
- Spring Security 4 issue using Query Method
- Trouble using @Query with Spring-Boot JPA and Java