hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s)

Browse Source
This commit is contained in:
Jami Cogswell
2025-02-20 16:58:42 -05:00
parent 8dfb920e05
commit b2469ff8ba
5 changed files with 306 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
View File

@@ -2,6 +2,7 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
public class SpringBootActuatorsTest {
// Spring security version 5.2.3 used `authorizeRequests` and `requestMatcher(s)`
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
}
@@ -101,4 +102,166 @@ public class SpringBootActuatorsTest {
protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
}
// Spring security version 5.5.0 introduced `authorizeHttpRequests`
protected void configure_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
}
protected void configure2_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure3_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure4_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure5_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure6_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
}
protected void configure7_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configureOk3_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().anyRequest().permitAll();
}
protected void configureOk4_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
}
protected void configureOkSafeEndpoints1_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
}
protected void configureOkSafeEndpoints2_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
}
protected void configureOkSafeEndpoints3_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
}
protected void configureOkSafeEndpoints4_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
}
protected void configureOkSafeEndpoints5_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
}
protected void configureOkSafeEndpoints6_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
}
protected void configureOkSafeEndpoints7_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
}
protected void configureOkNoPermitAll1_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
}
protected void configureOkNoPermitAll2_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkNoPermitAll3_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkNoPermitAll4_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
}
protected void configureOkNoPermitAll5_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkNoPermitAll6_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
}
protected void configureOkNoPermitAll7_authorizeHttpRequests(HttpSecurity http) throws Exception {
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
}
// Spring security version 5.8.0 introduced `securityMatcher(s)`
protected void configure_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
}
protected void configure2_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure3_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure4_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configure7_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
}
protected void configureOk1_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint());
}
protected void configureOk2_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkSafeEndpoints1_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
}
protected void configureOkSafeEndpoints2_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
}
protected void configureOkSafeEndpoints3_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
}
protected void configureOkSafeEndpoints4_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
}
protected void configureOkSafeEndpoints7_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
}
protected void configureOkNoPermitAll1_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
}
protected void configureOkNoPermitAll2_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkNoPermitAll3_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
}
protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
}
protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
}
}