Java: handle example in Spring docs

2026-04-26 17:25:19 +02:00 · 2025-02-23 23:28:10 -05:00
parent b2469ff8ba
commit 9e51b014d2
2 changed files with 16 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
@@ -142,5 +142,14 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
      registryRequestMatchersCall.getQualifier() = authorizeCall and
      permitAllCall.getQualifier() = registryRequestMatchersCall
    )
+    or
+    exists(Variable v, MatcherCall matcherCall |
+      // http.securityMatcher(EndpointRequest.toAnyEndpoint());
+      // http.authorizeRequests([...].permitAll())
+      v.getAnAccess() = authorizeCall.getQualifier() and
+      v.getAnAccess() = matcherCall.getQualifier() and
+      authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+      permitAllCall.getQualifier() instanceof AnyRequestCall
+    )
  )
 }
--- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
+++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
@@ -264,4 +264,11 @@ public class SpringBootActuatorsTest {
  protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {
    http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
  }
+
+  // Spring doc example
+  // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security
+  public void securityFilterChain(HttpSecurity http) throws Exception {
+		http.securityMatcher(EndpointRequest.toAnyEndpoint());
+		http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+	}
 }