Metastatic.Analysis.BusinessLogic.MissingAuthorization
(Metastatic v0.10.4)
View Source
Detects sensitive operations without authorization checks (CWE-862).
This analyzer identifies code patterns where data modification or access operations are performed without apparent authorization verification.
Cross-Language Applicability
Missing authorization is a universal access control vulnerability:
- Elixir/Phoenix:
def delete(conn, %{"id" => id}), do: Repo.delete!(id) - Python/Django:
def delete(request, id): Model.objects.get(id=id).delete() - JavaScript/Express:
app.delete('/item/:id', (req, res) => Item.delete(req.params.id)) - Ruby/Rails:
def destroy; @item.destroy; end - Java/Spring:
@DeleteMapping public void delete(@PathVariable id) { repo.deleteById(id); } - C#/ASP.NET:
public IActionResult Delete(int id) => _repo.Delete(id); - Go:
func DeleteHandler(w http.ResponseWriter, r *http.Request) { db.Delete(id) }
Problem
When sensitive operations lack authorization checks:
- Any authenticated user can modify any data
- Horizontal privilege escalation is possible
- Data integrity is compromised
- Compliance requirements may be violated
Detection Strategy
Detects patterns where:
- CRUD operations (create, update, delete) are performed
- The function context doesn't show authorization checks
- User-supplied IDs are used directly without ownership verification
Examples
Bad (Elixir)
def delete(conn, %{"id" => id}) do
post = Repo.get!(Post, id)
Repo.delete!(post)
json(conn, %{status: "deleted"})
endGood (Elixir)
def delete(conn, %{"id" => id}) do
user = conn.assigns.current_user
post = Repo.get!(Post, id)
if post.user_id == user.id or user.admin? do
Repo.delete!(post)
json(conn, %{status: "deleted"})
else
conn |> put_status(403) |> json(%{error: "Forbidden"})
end
end