Java: fix test case for version 1.4

Need the existence of an ApplicationProperties File, not an ApplicationProperties ConfigPair
2026-03-01 13:23:49 +01:00 · 2025-07-15 19:50:04 -04:00
parent 3823186dc6
commit 2bfc4b4ee2
3 changed files with 39 additions and 34 deletions
--- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
@@ -28,12 +28,17 @@ class SpringBootPom extends Pom {
 }

 /** The properties file `application.properties`. */
-class ApplicationProperties extends ConfigPair {
-  ApplicationProperties() { this.getFile().getBaseName() = "application.properties" }
+class ApplicationPropertiesFile extends File {
+  ApplicationPropertiesFile() { this.getBaseName() = "application.properties" }
+}
+
+/** A name-value pair stored in an `application.properties` file. */
+class ApplicationPropertiesConfigPair extends ConfigPair {
+  ApplicationPropertiesConfigPair() { this.getFile() instanceof ApplicationPropertiesFile }
 }

 /** The configuration property `management.security.enabled`. */
-class ManagementSecurityConfig extends ApplicationProperties {
+class ManagementSecurityConfig extends ApplicationPropertiesConfigPair {
  ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }

  /** Gets the whitespace-trimmed value of this property. */
@@ -47,7 +52,7 @@ class ManagementSecurityConfig extends ApplicationProperties {
 }

 /** The configuration property `management.endpoints.web.exposure.include`. */
-class ManagementEndPointInclude extends ApplicationProperties {
+class ManagementEndPointInclude extends ApplicationPropertiesConfigPair {
  ManagementEndPointInclude() {
    this.getNameElement().getName() = "management.endpoints.web.exposure.include"
  }
@@ -60,33 +65,35 @@ class ManagementEndPointInclude extends ApplicationProperties {
 * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
 * has a vulnerable configuration of Spring Boot Actuator management endpoints.
 */
-predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) {
+predicate hasConfidentialEndPointExposed(SpringBootPom pom) {
  pom.isSpringBootActuatorUsed() and
  not pom.isSpringBootSecurityUsed() and
-  ap.getFile()
-      .getParentContainer()
-      .getAbsolutePath()
-      .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
-  exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() |
-    springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
-    not exists(ManagementSecurityConfig me |
-      me.hasSecurityEnabled() and me.getFile() = ap.getFile()
-    )
-    or
-    springBootVersion.matches("1.5%") and // version 1.5
-    exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
-    or
-    springBootVersion.matches("2.%") and //version 2.x
-    exists(ManagementEndPointInclude mi |
-      mi.getFile() = ap.getFile() and
-      (
-        mi.getValue() = "*" // all endpoints are enabled
-        or
-        mi.getValue()
-            .matches([
-                "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
-                "%beans%", "%sessions%"
-              ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
+  exists(ApplicationPropertiesFile apFile |
+    apFile
+        .getParentContainer()
+        .getAbsolutePath()
+        .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
+    exists(string springBootVersion |
+      springBootVersion = pom.getParentElement().getVersionString()
+    |
+      springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
+      not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile)
+      or
+      springBootVersion.matches("1.5%") and // version 1.5
+      exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile)
+      or
+      springBootVersion.matches("2.%") and //version 2.x
+      exists(ManagementEndPointInclude mi |
+        mi.getFile() = apFile and
+        (
+          mi.getValue() = "*" // all endpoints are enabled
+          or
+          mi.getValue()
+              .matches([
+                  "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%",
+                  "%env%", "%beans%", "%sessions%"
+                ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
+        )
      )
    )
  )