SONARJAVA-4880 S5804: Support detection of User Enumeration for Spring (

#4753)

its/autoscan/src/test/resources/autoscan/diffs/diff_S5804.json

@@ -1,6 +1,6 @@
 {
   "ruleKey": "S5804",
   "hasTruePositives": false,
-  "falseNegatives": 9,
+  "falseNegatives": 11,
   "falsePositives": 0
-}
+}

java-checks-test-sources/default/pom.xml

@@ -206,6 +206,11 @@
       <type>jar</type>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-ldap</artifactId>
+      <version>6.2.3</version>
+    </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-aop</artifactId>

java-checks-test-sources/default/src/main/java/checks/security/UserEnumerationCheck.java

@@ -12,6 +12,7 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 
 public class UserEnumerationCheck {
 
@@ -93,6 +94,13 @@ public void config() {
     throw new UsernameNotFoundException("userName not found"); // Noncompliant
   }
 
+  void ldap(LdapAuthenticationProvider ldapAuthenticationProvider) {
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(false); // Noncompliant
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(MY_CONSTANT); // Noncompliant
+    boolean variableFalse = false;
+    ldapAuthenticationProvider.setHideUserNotFoundExceptions(variableFalse); // Compliant, not a constant
+  }
+
   public void compliantConfig() {
     boolean b = false;
 

java-checks/src/main/java/org/sonar/java/checks/security/UserEnumerationCheck.java

@@ -41,6 +41,7 @@ public class UserEnumerationCheck extends IssuableSubscriptionVisitor {
 
   private static final String MESSAGE = "Make sure allowing user enumeration is safe here.";
   private static final String ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER = "org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider";
+  private static final String SPRING_SEC_LDAP_AUTHENTICATION_PROVIDER = "org.springframework.security.ldap.authentication.LdapAuthenticationProvider";
   private static final String USER_DETAILS_SERVICE = "org.springframework.security.core.userdetails.UserDetailsService";
   private static final String USERNAME_NOT_FOUND_EXCEPTION = "org.springframework.security.core.userdetails.UsernameNotFoundException";
   private static final String HIDE_USER_NOT_FOUND_EXCEPTIONS = "setHideUserNotFoundExceptions";
@@ -52,7 +53,7 @@ public class UserEnumerationCheck extends IssuableSubscriptionVisitor {
   private final Deque<MethodTree> stack = new ArrayDeque<>();
 
   private static final MethodMatchers SET_HIDE_USER_MATCHER = MethodMatchers.create()
-    .ofSubTypes(ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER)
+    .ofSubTypes(ABSTRACT_USER_DETAILS_AUTHENTICATION_PROVIDER, SPRING_SEC_LDAP_AUTHENTICATION_PROVIDER)
     .names(HIDE_USER_NOT_FOUND_EXCEPTIONS)
     .addParametersMatcher(BOOLEAN)
     .build();