Java: remove experimental files

2026-04-19 14:04:09 +02:00 · 2025-02-16 12:30:42 -05:00
parent 089a491d5a
commit 5e5bc2afe9
7 changed files with 0 additions and 350 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java
@@ -1,22 +0,0 @@
-@Configuration(proxyBeanMethods = false)
-public class SpringBootActuators extends WebSecurityConfigurerAdapter {
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().permitAll());
-  }
-}
-
-@Configuration(proxyBeanMethods = false)
-public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-    http.httpBasic();
-  }
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp
@@ -1,39 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Spring Boot includes a number of additional features called actuators that let you monitor
-and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP
-can, however, lead to information disclosure or even to remote code execution vulnerability.</p>
-</overview>
-
-<recommendation>
-<p>Since actuator endpoints may contain sensitive information, careful consideration should be
-given about when to expose them. You should take care to secure exposed HTTP endpoints in the same
-way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by
-default using Spring Security’s content-negotiation strategy. If you wish to configure custom
-security for HTTP endpoints, for example, only allow users with a certain role to access them,
-Spring Boot provides some convenient <code>RequestMatcher</code> objects that can be used in
-combination with Spring Security.</p>
-</recommendation>
-
-<example>
-<p>In the first example, the custom security configuration allows unauthenticated access to all
-actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
-<p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
-the actuator endpoints.</p>
-
-<sample src="SpringBootActuators.java" />
-</example>
-
-<references>
-<li>
-Spring Boot documentation:
-<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Actuators</a>.
-</li>
-<li>
-<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
-</li>
-</references>
-</qhelp>
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -1,20 +0,0 @@
-/**
- * @name Exposed Spring Boot actuators
- * @description Exposing Spring Boot actuators may lead to internal application's information leak
- *              or even to remote code execution.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id java/spring-boot-exposed-actuators
- * @tags security
- *       experimental
- *       external/cwe/cwe-16
- */
-
-import java
-deprecated import SpringBootActuators
-
-deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
-  permitAllCall.permitsSpringBootActuators() and
-  message = "Unauthenticated access to Spring Boot actuator is allowed."
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
@@ -1,157 +0,0 @@
-deprecated module;
-
-import java
-
-/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
-class TypeHttpSecurity extends Class {
-  TypeHttpSecurity() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
-      "HttpSecurity")
-  }
-}
-
-/**
- * The class
- * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`.
- */
-class TypeAuthorizedUrl extends Class {
-  TypeAuthorizedUrl() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
-      "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>")
-  }
-}
-
-/**
- * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`.
- */
-class TypeAbstractRequestMatcherRegistry extends Class {
-  TypeAbstractRequestMatcherRegistry() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web",
-      "AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
-  }
-}
-
-/**
- * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`.
- */
-class TypeEndpointRequest extends Class {
-  TypeEndpointRequest() {
-    this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
-      "EndpointRequest")
-  }
-}
-
-/** A call to `EndpointRequest.toAnyEndpoint` method. */
-class ToAnyEndpointCall extends MethodCall {
-  ToAnyEndpointCall() {
-    this.getMethod().hasName("toAnyEndpoint") and
-    this.getMethod().getDeclaringType() instanceof TypeEndpointRequest
-  }
-}
-
-/**
- * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`.
- */
-class RequestMatcherCall extends MethodCall {
-  RequestMatcherCall() {
-    this.getMethod().hasName("requestMatcher") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
-    this.getArgument(0) instanceof ToAnyEndpointCall
-  }
-}
-
-/**
- * A call to `HttpSecurity.requestMatchers` method with lambda argument
- * `RequestMatcher.toAnyEndpoint()`.
- */
-class RequestMatchersCall extends MethodCall {
-  RequestMatchersCall() {
-    this.getMethod().hasName("requestMatchers") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
-    this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall
-  }
-}
-
-/** A call to `HttpSecurity.authorizeRequests` method. */
-class AuthorizeRequestsCall extends MethodCall {
-  AuthorizeRequestsCall() {
-    this.getMethod().hasName("authorizeRequests") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
-  }
-}
-
-/** A call to `AuthorizedUrl.permitAll` method. */
-class PermitAllCall extends MethodCall {
-  PermitAllCall() {
-    this.getMethod().hasName("permitAll") and
-    this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl
-  }
-
-  /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */
-  predicate permitsSpringBootActuators() {
-    exists(AuthorizeRequestsCall authorizeRequestsCall |
-      // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall
-      or
-      // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall
-    |
-      // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
-      // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-      authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and
-      (
-        this.getQualifier() instanceof AnyRequestCall or
-        this.getQualifier() instanceof RegistryRequestMatchersCall
-      )
-      or
-      // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
-      // [...].authorizeRequests().anyRequest().permitAll()
-      authorizeRequestsCall.getNumArgument() = 0 and
-      exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-        registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = registryRequestMatchersCall
-      )
-      or
-      exists(AnyRequestCall anyRequestCall |
-        anyRequestCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = anyRequestCall
-      )
-    )
-    or
-    exists(AuthorizeRequestsCall authorizeRequestsCall |
-      // http.authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof VarAccess
-    |
-      // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-      authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and
-      this.getQualifier() instanceof RegistryRequestMatchersCall
-      or
-      // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
-      authorizeRequestsCall.getNumArgument() = 0 and
-      exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-        registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = registryRequestMatchersCall
-      )
-    )
-  }
-}
-
-/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */
-class AnyRequestCall extends MethodCall {
-  AnyRequestCall() {
-    this.getMethod().hasName("anyRequest") and
-    this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry
-  }
-}
-
-/**
- * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument
- * `RequestMatcher.toAnyEndpoint()`.
- */
-class RegistryRequestMatchersCall extends MethodCall {
-  RegistryRequestMatchersCall() {
-    this.getMethod().hasName("requestMatchers") and
-    this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and
-    this.getAnArgument() instanceof ToAnyEndpointCall
-  }
-}