|
|
| (2 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | = Introduction =
| + | {{taggedDocument |
| − | This article is focused on providing clear, simple, actionable guidance for getting started reviewing the source code of applications written using the Grails web application framework for potential security flaws, whether architectural or implementation-related. Reviewing Grails application source code can be tricky, for example it is very easy even for an experienced code reviewer to unintentionally skip past (i.e. not review) parts of a Grails application because of certain features of the language and the framework. This is in short because of Groovy programming language-specific and Grails framework-specific language considerations that are explored in this article. This article can be used as a checklist for reviewing Grails application source code for both architectural and implementation-related potential security flaws. Guidance provided can be used to support manual analysis, automated analysis, or combinations thereof, depending on the resources that you might have available.
| + | | type=delete |
| − | | + | | comment=Tagged for deleting, old |
| − | == Groovy Language Basics ==
| + | }} |
| − | TODO
| |
| − | ===“.groovy” Files=== | |
| − | TODO
| |
| − | ===“.gsp” Files===
| |
| − | TODO
| |
| − | == Grails Framework Basics ==
| |
| − | Wikipedia describes the Grails framework as... TODO
| |
| − | ===Grails Programming Languages===
| |
| − | TODO
| |
| − | ===Grails Application Directory Structure===
| |
| − | TODO
| |
| − | == Why Can’t I Just Scan The Byte Code Compiled From The Generated Java Classes? ==
| |
| − | Well, you can. But, even assuming that you can (1)build the code or get the compiled bytecode, and (2)have access to a decent automated static analysis tool, you’re going to find yourself with very noisy results that can’t easily be acted upon by developers. Since, the developers will need findings for generated code translated into findings mapped back to the original Groovy code in order to make fixes that are appropriate to their Grails and Groovy language solution stack (i.e. using a Java language fix or a Java language library such as OWASP’s ESAPI may not be appropriate or actionable for technical or non-technical reasons). Further, you’re going to find that Groovy language-specific considerations, along with Grails library and framework-specific considerations are not being analyzed.
| |
| − | ... TODO... Code Narc not enough...
| |
| − | = Getting Started Reviewing Groovy Language Source Code Files =
| |
| − | TODO
| |
| − | == Reviewing Groovy Language Files (.groovy and .gsp) ==
| |
| − | TODO
| |
| − | ===Groovy Language Considerations===
| |
| − | TODO
| |
| − | ===Groovy Library and Framework Considerations===
| |
| − | TODO
| |
| − | == Reviewing Grails Framework Groovy Language Files ==
| |
| − | TODO
| |
| − | ===Grails Model Considerations===
| |
| − | TODO
| |
| − | ===Grails View Considerations===
| |
| − | TODO
| |
| − | ===Grails Controller Considerations===
| |
| − | TODO
| |
| − | ===Grails Service Considerations===
| |
| − | TODO
| |
| − | == Reviewing Java In Groovy Language Files (.groovy and .gsp) ==
| |
| − | TODO
| |
| − | = Getting Started Reviewing Java Language Source Code Included in Grails Applications =
| |
| − | TODO
| |
| − | == Reviewing Java In Java Language Files (.java and .jsp) ==
| |
| − | ... Review like any other Java app... TODO...
| |
| − | == Reviewing Other Java Language File Types ==
| |
| − | ... Review like any other Java app... TODO...
| |
| − | = Getting Started Reviewing Other Types of Source Code And Functionality Included in Grails Applications =
| |
| − | TODO
| |
| − | == Reviewing Other Types Included For Use by the Grails Framework ==
| |
| − | TODO
| |
| − | == Reviewing Other Types Included For Use by Java Language Source Code ==
| |
| − | TODO
| |
| − | = Code Review Tool Configuration Summary =
| |
| − | TODO
| |
| − | = References and Further Reading =
| |
| − | ...Groovy pages... Grails security pages....etc...TODO
| |
| − | = Authors and Primary Editors =
| |
| − | Mike Boberski - boberski_michael[at]bah.com
| |
| − | = Other Cheat Sheets =
| |
| − | {{Cheatsheet_Navigation}}
| |
| − | [[Category:Cheatsheets]]
| |
