hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: add 'Spring' prefix to public class names

Browse Source
This commit is contained in:
Jami Cogswell
2025-03-04 10:34:16 -05:00
parent c2e859c756
commit 746f022cfa
4 changed files with 50 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll
View File

@@ -8,17 +8,17 @@ import java
/**
* The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`.
*/
class TypeEndpointRequest extends Class {
TypeEndpointRequest() {
class SpringEndpointRequest extends Class {
SpringEndpointRequest() {
this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
"EndpointRequest")
}
}
/** A call to `EndpointRequest.toAnyEndpoint` method. */
class ToAnyEndpointCall extends MethodCall {
ToAnyEndpointCall() {
class SpringToAnyEndpointCall extends MethodCall {
SpringToAnyEndpointCall() {
this.getMethod().hasName("toAnyEndpoint") and
this.getMethod().getDeclaringType() instanceof TypeEndpointRequest
this.getMethod().getDeclaringType() instanceof SpringEndpointRequest
}
}

60
java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll
View File

@@ -6,8 +6,8 @@
import java
/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
class TypeHttpSecurity extends Class {
TypeHttpSecurity() {
class SpringHttpSecurity extends Class {
SpringHttpSecurity() {
this.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
"HttpSecurity")
}
@@ -19,8 +19,8 @@ class TypeHttpSecurity extends Class {
* or the class
* `org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$AuthorizedUrl`.
*/
class TypeAuthorizedUrl extends Class {
TypeAuthorizedUrl() {
class SpringAuthorizedUrl extends Class {
SpringAuthorizedUrl() {
this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
[
"ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>",
@@ -32,8 +32,8 @@ class TypeAuthorizedUrl extends Class {
/**
* The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`.
*/
class TypeAbstractRequestMatcherRegistry extends Class {
TypeAbstractRequestMatcherRegistry() {
class SpringAbstractRequestMatcherRegistry extends Class {
SpringAbstractRequestMatcherRegistry() {
this.hasQualifiedName("org.springframework.security.config.annotation.web",
"AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
}
@@ -45,10 +45,10 @@ class TypeAbstractRequestMatcherRegistry extends Class {
* Note: this method is deprecated and scheduled for removal
* in Spring Security 7.0.
*/
class AuthorizeRequestsCall extends MethodCall {
AuthorizeRequestsCall() {
class SpringAuthorizeRequestsCall extends MethodCall {
SpringAuthorizeRequestsCall() {
this.getMethod().hasName("authorizeRequests") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
@@ -58,10 +58,10 @@ class AuthorizeRequestsCall extends MethodCall {
* Note: the no-argument version of this method is deprecated
* and scheduled for removal in Spring Security 7.0.
*/
class AuthorizeHttpRequestsCall extends MethodCall {
AuthorizeHttpRequestsCall() {
class SpringAuthorizeHttpRequestsCall extends MethodCall {
SpringAuthorizeHttpRequestsCall() {
this.getMethod().hasName("authorizeHttpRequests") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
@@ -71,10 +71,10 @@ class AuthorizeHttpRequestsCall extends MethodCall {
* Note: this method was removed in Spring Security 6.0.
* It was replaced by `securityMatcher`.
*/
class RequestMatcherCall extends MethodCall {
RequestMatcherCall() {
class SpringRequestMatcherCall extends MethodCall {
SpringRequestMatcherCall() {
this.getMethod().hasName("requestMatcher") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
@@ -84,41 +84,41 @@ class RequestMatcherCall extends MethodCall {
* Note: this method was removed in Spring Security 6.0.
* It was replaced by `securityMatchers`.
*/
class RequestMatchersCall extends MethodCall {
RequestMatchersCall() {
class SpringRequestMatchersCall extends MethodCall {
SpringRequestMatchersCall() {
this.getMethod().hasName("requestMatchers") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
/** A call to the `HttpSecurity.securityMatcher` method. */
class SecurityMatcherCall extends MethodCall {
SecurityMatcherCall() {
class SpringSecurityMatcherCall extends MethodCall {
SpringSecurityMatcherCall() {
this.getMethod().hasName("securityMatcher") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
/** A call to the `HttpSecurity.securityMatchers` method. */
class SecurityMatchersCall extends MethodCall {
SecurityMatchersCall() {
class SpringSecurityMatchersCall extends MethodCall {
SpringSecurityMatchersCall() {
this.getMethod().hasName("securityMatchers") and
this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
}
}
/** A call to the `AuthorizedUrl.permitAll` method. */
class PermitAllCall extends MethodCall {
PermitAllCall() {
class SpringPermitAllCall extends MethodCall {
SpringPermitAllCall() {
this.getMethod().hasName("permitAll") and
this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl
this.getMethod().getDeclaringType() instanceof SpringAuthorizedUrl
}
}
/** A call to the `AbstractRequestMatcherRegistry.anyRequest` method. */
class AnyRequestCall extends MethodCall {
AnyRequestCall() {
class SpringAnyRequestCall extends MethodCall {
SpringAnyRequestCall() {
this.getMethod().hasName("anyRequest") and
this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry
this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry
}
}

28
java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
View File

@@ -11,10 +11,10 @@ private import semmle.code.java.frameworks.spring.SpringBoot
private class HttpSecurityMatcherCall extends MethodCall {
HttpSecurityMatcherCall() {
(
this instanceof RequestMatcherCall or
this instanceof SecurityMatcherCall
this instanceof SpringRequestMatcherCall or
this instanceof SpringSecurityMatcherCall
) and
this.getArgument(0) instanceof ToAnyEndpointCall
this.getArgument(0) instanceof SpringToAnyEndpointCall
}
}
@@ -25,10 +25,10 @@ private class HttpSecurityMatcherCall extends MethodCall {
private class HttpSecurityMatchersCall extends MethodCall {
HttpSecurityMatchersCall() {
(
this instanceof RequestMatchersCall or
this instanceof SecurityMatchersCall
this instanceof SpringRequestMatchersCall or
this instanceof SpringSecurityMatchersCall
) and
this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall
this.getArgument(0).(LambdaExpr).getExprBody() instanceof SpringToAnyEndpointCall
}
}
@@ -39,21 +39,21 @@ private class HttpSecurityMatchersCall extends MethodCall {
private class RegistryRequestMatchersCall extends MethodCall {
RegistryRequestMatchersCall() {
this.getMethod().hasName("requestMatchers") and
this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and
this.getAnArgument() instanceof ToAnyEndpointCall
this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry and
this.getAnArgument() instanceof SpringToAnyEndpointCall
}
}
/** A call to an `HttpSecurity` method that authorizes requests. */
private class AuthorizeCall extends MethodCall {
AuthorizeCall() {
this instanceof AuthorizeRequestsCall or
this instanceof AuthorizeHttpRequestsCall
this instanceof SpringAuthorizeRequestsCall or
this instanceof SpringAuthorizeHttpRequestsCall
}
}
/** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */
predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
predicate permitsSpringBootActuators(SpringPermitAllCall permitAllCall) {
exists(AuthorizeCall authorizeCall |
// .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
authorizeCall.getQualifier() instanceof HttpSecurityMatcherCall
@@ -65,7 +65,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
// [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
(
permitAllCall.getQualifier() instanceof AnyRequestCall or
permitAllCall.getQualifier() instanceof SpringAnyRequestCall or
permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
)
or
@@ -77,7 +77,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
permitAllCall.getQualifier() = registryRequestMatchersCall
)
or
exists(AnyRequestCall anyRequestCall |
exists(SpringAnyRequestCall anyRequestCall |
anyRequestCall.getQualifier() = authorizeCall and
permitAllCall.getQualifier() = anyRequestCall
)
@@ -104,7 +104,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
v.getAnAccess() = authorizeCall.getQualifier() and
v.getAnAccess() = matcherCall.getQualifier() and
authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
permitAllCall.getQualifier() instanceof AnyRequestCall
permitAllCall.getQualifier() instanceof SpringAnyRequestCall
)
)
}

2
java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
View File

@@ -15,6 +15,6 @@ import java
import semmle.code.java.frameworks.spring.SpringSecurity
import semmle.code.java.security.SpringBootActuatorsQuery
from PermitAllCall permitAllCall
from SpringPermitAllCall permitAllCall
where permitsSpringBootActuators(permitAllCall)
select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."