diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll index 864fc4bfcaf..d77e4549e4e 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll @@ -8,17 +8,17 @@ import java /** * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. */ -class TypeEndpointRequest extends Class { - TypeEndpointRequest() { +class SpringEndpointRequest extends Class { + SpringEndpointRequest() { this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", "EndpointRequest") } } /** A call to `EndpointRequest.toAnyEndpoint` method. */ -class ToAnyEndpointCall extends MethodCall { - ToAnyEndpointCall() { +class SpringToAnyEndpointCall extends MethodCall { + SpringToAnyEndpointCall() { this.getMethod().hasName("toAnyEndpoint") and - this.getMethod().getDeclaringType() instanceof TypeEndpointRequest + this.getMethod().getDeclaringType() instanceof SpringEndpointRequest } } diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll index 901ed06270e..835b679d50a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll @@ -6,8 +6,8 @@ import java /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ -class TypeHttpSecurity extends Class { - TypeHttpSecurity() { +class SpringHttpSecurity extends Class { + SpringHttpSecurity() { this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", "HttpSecurity") } @@ -19,8 +19,8 @@ class TypeHttpSecurity extends Class { * or the class * `org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$AuthorizedUrl`. */ -class TypeAuthorizedUrl extends Class { - TypeAuthorizedUrl() { +class SpringAuthorizedUrl extends Class { + SpringAuthorizedUrl() { this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", [ "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>", @@ -32,8 +32,8 @@ class TypeAuthorizedUrl extends Class { /** * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. */ -class TypeAbstractRequestMatcherRegistry extends Class { - TypeAbstractRequestMatcherRegistry() { +class SpringAbstractRequestMatcherRegistry extends Class { + SpringAbstractRequestMatcherRegistry() { this.hasQualifiedName("org.springframework.security.config.annotation.web", "AbstractRequestMatcherRegistry>") } @@ -45,10 +45,10 @@ class TypeAbstractRequestMatcherRegistry extends Class { * Note: this method is deprecated and scheduled for removal * in Spring Security 7.0. */ -class AuthorizeRequestsCall extends MethodCall { - AuthorizeRequestsCall() { +class SpringAuthorizeRequestsCall extends MethodCall { + SpringAuthorizeRequestsCall() { this.getMethod().hasName("authorizeRequests") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } @@ -58,10 +58,10 @@ class AuthorizeRequestsCall extends MethodCall { * Note: the no-argument version of this method is deprecated * and scheduled for removal in Spring Security 7.0. */ -class AuthorizeHttpRequestsCall extends MethodCall { - AuthorizeHttpRequestsCall() { +class SpringAuthorizeHttpRequestsCall extends MethodCall { + SpringAuthorizeHttpRequestsCall() { this.getMethod().hasName("authorizeHttpRequests") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } @@ -71,10 +71,10 @@ class AuthorizeHttpRequestsCall extends MethodCall { * Note: this method was removed in Spring Security 6.0. * It was replaced by `securityMatcher`. */ -class RequestMatcherCall extends MethodCall { - RequestMatcherCall() { +class SpringRequestMatcherCall extends MethodCall { + SpringRequestMatcherCall() { this.getMethod().hasName("requestMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } @@ -84,41 +84,41 @@ class RequestMatcherCall extends MethodCall { * Note: this method was removed in Spring Security 6.0. * It was replaced by `securityMatchers`. */ -class RequestMatchersCall extends MethodCall { - RequestMatchersCall() { +class SpringRequestMatchersCall extends MethodCall { + SpringRequestMatchersCall() { this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } /** A call to the `HttpSecurity.securityMatcher` method. */ -class SecurityMatcherCall extends MethodCall { - SecurityMatcherCall() { +class SpringSecurityMatcherCall extends MethodCall { + SpringSecurityMatcherCall() { this.getMethod().hasName("securityMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } /** A call to the `HttpSecurity.securityMatchers` method. */ -class SecurityMatchersCall extends MethodCall { - SecurityMatchersCall() { +class SpringSecurityMatchersCall extends MethodCall { + SpringSecurityMatchersCall() { this.getMethod().hasName("securityMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + this.getMethod().getDeclaringType() instanceof SpringHttpSecurity } } /** A call to the `AuthorizedUrl.permitAll` method. */ -class PermitAllCall extends MethodCall { - PermitAllCall() { +class SpringPermitAllCall extends MethodCall { + SpringPermitAllCall() { this.getMethod().hasName("permitAll") and - this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl + this.getMethod().getDeclaringType() instanceof SpringAuthorizedUrl } } /** A call to the `AbstractRequestMatcherRegistry.anyRequest` method. */ -class AnyRequestCall extends MethodCall { - AnyRequestCall() { +class SpringAnyRequestCall extends MethodCall { + SpringAnyRequestCall() { this.getMethod().hasName("anyRequest") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry + this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry } } diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index 76607ed794a..68c20adabdd 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -11,10 +11,10 @@ private import semmle.code.java.frameworks.spring.SpringBoot private class HttpSecurityMatcherCall extends MethodCall { HttpSecurityMatcherCall() { ( - this instanceof RequestMatcherCall or - this instanceof SecurityMatcherCall + this instanceof SpringRequestMatcherCall or + this instanceof SpringSecurityMatcherCall ) and - this.getArgument(0) instanceof ToAnyEndpointCall + this.getArgument(0) instanceof SpringToAnyEndpointCall } } @@ -25,10 +25,10 @@ private class HttpSecurityMatcherCall extends MethodCall { private class HttpSecurityMatchersCall extends MethodCall { HttpSecurityMatchersCall() { ( - this instanceof RequestMatchersCall or - this instanceof SecurityMatchersCall + this instanceof SpringRequestMatchersCall or + this instanceof SpringSecurityMatchersCall ) and - this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall + this.getArgument(0).(LambdaExpr).getExprBody() instanceof SpringToAnyEndpointCall } } @@ -39,21 +39,21 @@ private class HttpSecurityMatchersCall extends MethodCall { private class RegistryRequestMatchersCall extends MethodCall { RegistryRequestMatchersCall() { this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and - this.getAnArgument() instanceof ToAnyEndpointCall + this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry and + this.getAnArgument() instanceof SpringToAnyEndpointCall } } /** A call to an `HttpSecurity` method that authorizes requests. */ private class AuthorizeCall extends MethodCall { AuthorizeCall() { - this instanceof AuthorizeRequestsCall or - this instanceof AuthorizeHttpRequestsCall + this instanceof SpringAuthorizeRequestsCall or + this instanceof SpringAuthorizeHttpRequestsCall } } /** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */ -predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { +predicate permitsSpringBootActuators(SpringPermitAllCall permitAllCall) { exists(AuthorizeCall authorizeCall | // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] authorizeCall.getQualifier() instanceof HttpSecurityMatcherCall @@ -65,7 +65,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and ( - permitAllCall.getQualifier() instanceof AnyRequestCall or + permitAllCall.getQualifier() instanceof SpringAnyRequestCall or permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall ) or @@ -77,7 +77,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { permitAllCall.getQualifier() = registryRequestMatchersCall ) or - exists(AnyRequestCall anyRequestCall | + exists(SpringAnyRequestCall anyRequestCall | anyRequestCall.getQualifier() = authorizeCall and permitAllCall.getQualifier() = anyRequestCall ) @@ -104,7 +104,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { v.getAnAccess() = authorizeCall.getQualifier() and v.getAnAccess() = matcherCall.getQualifier() and authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and - permitAllCall.getQualifier() instanceof AnyRequestCall + permitAllCall.getQualifier() instanceof SpringAnyRequestCall ) ) } diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql index 97d9b506f78..5818713d058 100644 --- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql @@ -15,6 +15,6 @@ import java import semmle.code.java.frameworks.spring.SpringSecurity import semmle.code.java.security.SpringBootActuatorsQuery -from PermitAllCall permitAllCall +from SpringPermitAllCall permitAllCall where permitsSpringBootActuators(permitAllCall) select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."