Insecure Access Control

Why is this important?

Access Control is one of the most fundamental security requirements. Any problems with managing access control can allow attackers to bypass business logic and access data from other users.

Check out this video for a high-level explanation:

Fixing Insecure Access Control

Option A: Set A Proper ACL

Go through the issues that GuardRails identified in the PR.
Identify patterns like below and ensure that the ACL is not NULL.

  /* This is an example of bad code - the third paramer is NULL, so it creates
  a NULL ACL.  Note that Flawfinder can't detect when a
  SECURITY_DESCRIPTOR structure is manually created with a NULL value
  as the ACL; doing so would require a tool that handles C/C++
  and knows about types more that flawfinder currently does.
  Anyway, this needs to be detected: */
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);

Test it
Ship it 🚢 and relax 🌴

More information:

Common Weakness Enumeration (CWE-732)
Common Weakness Enumeration (CWE-284)
SetSecurityDescriptorDacl

GuardRails

General

Apex

C/C++

Dotnet

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform

Insecure Access Control

Why is this important?

Fixing Insecure Access Control

Option A: Set A Proper ACL

More information: