This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Grails Secure Code Review Cheat Sheet

From OWASP
Revision as of 19:17, 11 December 2012 by Mtesauro (talk | contribs) (Added some Grails sercurity references to the cheat sheet)

Jump to: navigation, search

Introduction

This article is focused on providing clear, simple, actionable guidance for getting started reviewing the source code of applications written using the Grails web application framework for potential security flaws, whether architectural or implementation-related. Reviewing Grails application source code can be tricky, for example it is very easy even for an experienced code reviewer to unintentionally skip past (i.e. not review) parts of a Grails application because of certain features of the language and the framework. This is in short because of Groovy programming language-specific and Grails framework-specific language considerations that are explored in this article. This article can be used as a checklist for reviewing Grails application source code for both architectural and implementation-related potential security flaws. Guidance provided can be used to support manual analysis, automated analysis, or combinations thereof, depending on the resources that you might have available.

Groovy Language Basics

TODO

“.groovy” Files

TODO

“.gsp” Files

TODO

Grails Framework Basics

Wikipedia describes the Grails framework as... TODO

Grails Programming Languages

TODO

Grails Application Directory Structure

TODO

Why Can’t I Just Scan The Byte Code Compiled From The Generated Java Classes?

Well, you can. But, even assuming that you can (1)build the code or get the compiled bytecode, and (2)have access to a decent automated static analysis tool, you’re going to find yourself with very noisy results that can’t easily be acted upon by developers. Since, the developers will need findings for generated code translated into findings mapped back to the original Groovy code in order to make fixes that are appropriate to their Grails and Groovy language solution stack (i.e. using a Java language fix or a Java language library such as OWASP’s ESAPI may not be appropriate or actionable for technical or non-technical reasons). Further, you’re going to find that Groovy language-specific considerations, along with Grails library and framework-specific considerations are not being analyzed. ... TODO... Code Narc not enough...

Getting Started Reviewing Groovy Language Source Code Files

TODO

Reviewing Groovy Language Files (.groovy and .gsp)

TODO

Groovy Language Considerations

TODO

Groovy Library and Framework Considerations

TODO

Reviewing Grails Framework Groovy Language Files

TODO

Grails Model Considerations

TODO

Grails View Considerations

TODO

Grails Controller Considerations

TODO

Grails Service Considerations

TODO

Reviewing Java In Groovy Language Files (.groovy and .gsp)

TODO

Getting Started Reviewing Java Language Source Code Included in Grails Applications

TODO

Reviewing Java In Java Language Files (.java and .jsp)

... Review like any other Java app... TODO...

Reviewing Other Java Language File Types

... Review like any other Java app... TODO...

Getting Started Reviewing Other Types of Source Code And Functionality Included in Grails Applications

TODO

Reviewing Other Types Included For Use by the Grails Framework

TODO

Reviewing Other Types Included For Use by Java Language Source Code

TODO

Code Review Tool Configuration Summary

TODO

References and Further Reading

Groovy pages

TODO

Grails security pages

Security Updates for Grails

Grails Security Documentation

Grails Dependency Injection Vulnerability and mitigations

Authors and Primary Editors

Mike Boberski - boberski_michael[at]bah.com

Other Cheat Sheets

OWASP Cheat Sheets Project Homepage