I have a Java method flagged by Fortify as an "Access Control: Database" issue. The flagged method (fetchAllRecords) queries a database using JPA's findAll with paging and sorting, and it does not handle sensitive or user-specific data. However, Fortify reports that it lacks proper access control, making it susceptible to unauthorized database access.
Here’s the method code similar to my implementation:
@Transactional
public List<RecordEntity> fetchAllRecords(Specification<RecordEntity> spec, QueryRequest request) {
validateRequest(request);
int pageSize = Math.min(request.getPageSize(), 250); // Limit max page size (Fortify recommendation)
int pageNumber = Math.max(request.getPageNum() - 1, 0);
Sort sort = Sort.by(Sort.Direction.ASC, request.getSortingBy().toArray(new String[0]));
PageRequest pageReq = PageRequest.of(pageNumber, pageSize, sort);
log.info("Querying records with sorting: {}, page size: {}, page number: {}",
request.getSortingBy(), pageSize, pageNumber);
return recordRepository.findAll(spec, pageReq).getContent();
}
private static void validateRequest(QueryRequest request) {
if (request == null) {
throw new InvalidRequestException("Request cannot be null");
}
if (request.getSortingBy() == null || request.getSortingBy().isEmpty()) {
throw new InvalidRequestException("Sorting parameters cannot be null or empty");
}
if (request.getPageSize() <= 0 || request.getPageSize() > 250) {
throw new InvalidRequestException("Invalid page size: " + request.getPageSize());
}
if (request.getPageNum() < 0) {
throw new InvalidRequestException("Page number cannot be negative");
}
}
It complains on this line return recordRepository.findAll(spec, pageReq).getContent();
The fortify issue says : "Without proper access control, the method fetchAllRecords in DefaultRecordPersistentServiceAdapter.java can execute a SQL statement that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records. "