Grails Secure Code Review Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction = This article is focused on providing clear, simple, actionable guidance for getting started reviewing the source code of applications written using the Grails web application framework for potential security flaws, whether architectural or implementation-related. Reviewing Grails application source code can be tricky, for example it is very easy even for an experienced code reviewer to unintentionally skip past (i.e. not review) parts of a Grails application because of certain features of the language and the framework. This is in short because of Groovy programming language-specific and Grails framework-specific language considerations that are explored in this article. This article can be used as a checklist for reviewing Grails application source code for both architectural and implementation-related potential security flaws. Guidance provided can be used to support manual analysis, automated analysis, or combinations thereof, depending on the resources that you might have available.

Groovy Language Basics
TODO

“.groovy” Files
TODO

“.gsp” Files
TODO

Grails Framework Basics
Wikipedia describes the Grails framework as... TODO

Grails Programming Languages
TODO

Grails Application Directory Structure
TODO

Why Can’t I Just Scan The Byte Code Compiled From The Generated Java Classes?
Well, you can. But, even assuming that you can (1)build the code or get the compiled bytecode, and (2)have access to a decent automated static analysis tool, you’re going to find yourself with very noisy results that can’t easily be acted upon by developers. Since, the developers will need findings for generated code translated into findings mapped back to the original Groovy code in order to make fixes that are appropriate to their Grails and Groovy language solution stack (i.e. using a Java language fix or a Java language library such as OWASP’s ESAPI may not be appropriate or actionable for technical or non-technical reasons). Further, you’re going to find that Groovy language-specific considerations, along with Grails library and framework-specific considerations are not being analyzed. ... TODO... Code Narc not enough... = Getting Started Reviewing Groovy Language Source Code Files = TODO

Reviewing Groovy Language Files (.groovy and .gsp)
TODO

Groovy Language Considerations
TODO

Groovy Library and Framework Considerations
TODO

Reviewing Grails Framework Groovy Language Files
TODO

Grails Model Considerations
TODO

Grails View Considerations
TODO

Grails Controller Considerations
TODO

Grails Service Considerations
TODO

Reviewing Java In Groovy Language Files (.groovy and .gsp)
TODO = Getting Started Reviewing Java Language Source Code Included in Grails Applications = TODO

Reviewing Java In Java Language Files (.java and .jsp)
... Review like any other Java app... TODO...

Reviewing Other Java Language File Types
... Review like any other Java app... TODO... = Getting Started Reviewing Other Types of Source Code And Functionality Included in Grails Applications = TODO

Reviewing Other Types Included For Use by the Grails Framework
TODO

Reviewing Other Types Included For Use by Java Language Source Code
TODO = Code Review Tool Configuration Summary = TODO = References and Further Reading =

Groovy pages
TODO

Grails security pages
Security Updates for Grails Grails Security Documentation Grails Dependency Injection Vulnerability and mitigations
 * http://support.springsource.com/security/grails
 * http://grails.org/doc/latest/guide/security.html
 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1833
 * http://blog.springsource.org/2012/03/28/secure-data-binding-with-grails/
 * http://www.anyware.co.uk/2005/2012/03/29/inside-the-grails-dependency-injection-binding-vulnerability/

= Authors and Primary Editors = Mike Boberski - boberski_michael[at]bah.com = Other Cheat Sheets =