Metastatic.Analysis.BusinessLogic.IncorrectAuthorization (Metastatic v0.10.4)

View Source

Detects incorrect authorization patterns (CWE-863).

This analyzer identifies weak or flawed authorization logic patterns that could allow unauthorized access even when some authorization exists.

Common Incorrect Authorization Patterns

  1. Authorization after action - Performing the operation before checking permissions
  2. Client-side only authorization - Relying on UI to hide options
  3. Role check without resource check - Checking role but not resource ownership
  4. Negated logic flaws - Using complex negation that can be bypassed
  5. Default allow - Allowing access unless explicitly denied

Cross-Language Applicability

Incorrect authorization affects all languages and frameworks.

Detection Strategy

Detects patterns where:

  1. Authorization check appears after sensitive operation
  2. Authorization uses only role check without resource verification
  3. Complex boolean logic that might have flaws
  4. Default-allow patterns instead of default-deny