Link Search Menu Expand Document
×
Topics

Broken Authorization in Scala

Play SecureFlag Play Scala Labs on this vulnerability with SecureFlag!

Vulnerable Example

There are several instances of broken authentication/authorization, the most common of which is surely no mechanism at all. In Scala (Play Framework) endpoints are secured by means of actions composition. Consider the following example of a controller exposing a single publicly accessible endpoint:

class MyController @Inject() (
    AuthAction: MyAuthAction
)(
    implicit executionContext: ExecutionContext
) extends AbstractController(cc) {
  def myEndpoint =
    Action { implicit request =>
      Ok(views.html.myView(request))
    }
}

Prevention

Authentication/authorization mechanisms are plugged in using composition. Suppose, for example, that the security mechanisms are implemented in the following class:

class AuthAction @Inject() (
    parser: BodyParsers.Default
)(
    implicit executionContext: ExecutionContext
) extends ActionBuilderImpl(parser) {
  override def invokeBlock[A](
    request: Request[A],
    block: (Request[A]) => Future[Result]
  ) = {
    if (/* TODO implement the auth mechanism here... */) {
      Future.successful(Redirect("/login"))
    } else {
      block(request)
    }
  }
}

It is possible to add AuthAction to the original myEndpoint in the following way:

def myEndpoint =
  AuthAction { implicit request =>
    Ok(views.html.myView(request))
  }

References

MITRE - CWE 285 - Improper Authorization

OWASP Top 10 2021 - Broken Access Control

OWASP - Access Control Cheat Sheet

Play Framework - Action composition