hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: convert tests to inline expectations

Browse Source
This commit is contained in:
Jami Cogswell
2025-02-19 19:03:02 -05:00
parent 5e5bc2afe9
commit 8064e8f1f9
7 changed files with 29 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll → java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
View File

@@ -1,3 +1,5 @@
/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */
import java
/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */

2
java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql
View File

@@ -12,7 +12,7 @@
*/
import java
import SpringBootActuators
import semmle.code.java.security.SpringBootActuatorsQuery
from PermitAllCall permitAllCall
where permitAllCall.permitsSpringBootActuators()

7
java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected
View File

@@ -1,7 +0,0 @@
| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |

1
java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref
View File

@@ -1 +0,0 @@
Security/CWE/CWE-016/SpringBootActuators.ql

0
java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected Normal file
View File

16
java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java → java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
View File

@@ -1,33 +1,33 @@
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
public class SpringBootActuators {
public class SpringBootActuatorsTest {
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll());
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
}
protected void configure2(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure3(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure4(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure5(HttpSecurity http) throws Exception {
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure6(HttpSecurity http) throws Exception {
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll());
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
}
protected void configure7(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configureOk1(HttpSecurity http) throws Exception {

18
java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql Normal file
View File

@@ -0,0 +1,18 @@
import java
import semmle.code.java.security.SpringBootActuatorsQuery
import utils.test.InlineExpectationsTest
module SpringBootActuatorsTest implements TestSig {
string getARelevantTag() { result = "hasExposedSpringBootActuator" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasExposedSpringBootActuator" and
exists(PermitAllCall permitAllCall | permitAllCall.permitsSpringBootActuators() |
permitAllCall.getLocation() = location and
element = permitAllCall.toString() and
value = ""
)
}
}
import MakeTest<SpringBootActuatorsTest>