mirror of
https://github.com/github/codeql.git
synced 2026-04-28 10:15:14 +02:00
Merge pull request #20006 from jcogs33/jcogs33/java/insecure-spring-actuator-config-promotion
Java: Promote Insecure Spring Boot Actuator Configuration query from experimental
This commit is contained in:
Jami
@@ -27,6 +27,7 @@ ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
|
||||
|
||||
@@ -143,6 +143,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
|
||||
|
||||
@@ -46,6 +46,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
|
||||
ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
|
||||
|
||||
@@ -195,7 +195,6 @@ ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql
|
||||
ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql
|
||||
ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql
|
||||
ql/java/ql/src/definitions.ql
|
||||
ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
|
||||
ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
|
||||
ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
|
||||
ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
|
||||
|
||||
@@ -70,7 +70,12 @@ class ConfigValue extends @configValue, ConfigLocatable {
|
||||
override string toString() { result = this.getValue() }
|
||||
}
|
||||
|
||||
/** A `.properties` file. */
|
||||
class PropertiesFile extends File {
|
||||
PropertiesFile() { this.getExtension() = "properties" }
|
||||
}
|
||||
|
||||
/** A Java property is a name-value pair in a `.properties` file. */
|
||||
class JavaProperty extends ConfigPair {
|
||||
JavaProperty() { this.getFile().getExtension() = "properties" }
|
||||
JavaProperty() { this.getFile() instanceof PropertiesFile }
|
||||
}
|
||||
|
||||
@@ -0,0 +1,128 @@
|
||||
/** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */
|
||||
overlay[local?]
|
||||
module;
|
||||
|
||||
import java
|
||||
private import semmle.code.configfiles.ConfigFiles
|
||||
private import semmle.code.xml.MavenPom
|
||||
|
||||
/** The parent node of the `org.springframework.boot` group. */
|
||||
private class SpringBootParent extends Parent {
|
||||
SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
|
||||
}
|
||||
|
||||
/** A `Pom` with a Spring Boot parent node. */
|
||||
private class SpringBootPom extends Pom {
|
||||
SpringBootPom() { this.getParentElement() instanceof SpringBootParent }
|
||||
|
||||
/** Holds if the Spring Boot Security module is used in the project. */
|
||||
predicate isSpringBootSecurityUsed() {
|
||||
this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
|
||||
}
|
||||
}
|
||||
|
||||
/** A dependency with artifactId `spring-boot-starter-actuator`. */
|
||||
class SpringBootStarterActuatorDependency extends Dependency {
|
||||
SpringBootStarterActuatorDependency() {
|
||||
this.getArtifact().getValue() = "spring-boot-starter-actuator"
|
||||
}
|
||||
}
|
||||
|
||||
/** The Spring Boot configuration property `management.security.enabled`. */
|
||||
private class ManagementSecurityEnabledProperty extends JavaProperty {
|
||||
ManagementSecurityEnabledProperty() {
|
||||
this.getNameElement().getName() = "management.security.enabled"
|
||||
}
|
||||
|
||||
/** Gets the whitespace-trimmed value of this property. */
|
||||
string getValue() { result = this.getValueElement().getValue().trim() }
|
||||
|
||||
/** Holds if `management.security.enabled` is set to `false`. */
|
||||
predicate hasSecurityDisabled() { this.getValue() = "false" }
|
||||
}
|
||||
|
||||
/**
|
||||
* The Spring Boot configuration property `management.endpoints.web.exposure.include`
|
||||
* or `management.endpoints.web.expose`.
|
||||
*/
|
||||
private class ManagementEndpointsExposeProperty extends JavaProperty {
|
||||
ManagementEndpointsExposeProperty() {
|
||||
this.getNameElement().getName() = "management.endpoints.web." + ["exposure.include", "expose"]
|
||||
}
|
||||
|
||||
/** Gets the whitespace-trimmed value of this property. */
|
||||
string getValue() { result = this.getValueElement().getValue().trim() }
|
||||
}
|
||||
|
||||
private newtype TOption =
|
||||
TNone() or
|
||||
TSome(JavaProperty jp)
|
||||
|
||||
/**
|
||||
* An option type that is either a singleton `None` or a `Some` wrapping
|
||||
* the `JavaProperty` type.
|
||||
*/
|
||||
class JavaPropertyOption extends TOption {
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() {
|
||||
this = TNone() and result = "(none)"
|
||||
or
|
||||
result = this.asSome().toString()
|
||||
}
|
||||
|
||||
/** Gets the location of this element. */
|
||||
Location getLocation() { result = this.asSome().getLocation() }
|
||||
|
||||
/** Gets the wrapped element, if any. */
|
||||
JavaProperty asSome() { this = TSome(result) }
|
||||
|
||||
/** Holds if this option is the singleton `None`. */
|
||||
predicate isNone() { this = TNone() }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `JavaPropertyOption` jpOption of a repository using `SpringBootStarterActuatorDependency`
|
||||
* d exposes sensitive Spring Boot Actuator endpoints.
|
||||
*/
|
||||
predicate exposesSensitiveEndpoint(
|
||||
SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption
|
||||
) {
|
||||
exists(PropertiesFile propFile, SpringBootPom pom |
|
||||
d = pom.getADependency() and
|
||||
not pom.isSpringBootSecurityUsed() and
|
||||
propFile
|
||||
.getParentContainer()
|
||||
.getAbsolutePath()
|
||||
.matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
|
||||
exists(string springBootVersion |
|
||||
springBootVersion = pom.getParentElement().getVersionString()
|
||||
|
|
||||
springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
|
||||
not exists(ManagementSecurityEnabledProperty ep | ep.getFile() = propFile) and
|
||||
jpOption.isNone()
|
||||
or
|
||||
springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5
|
||||
exists(ManagementSecurityEnabledProperty ep |
|
||||
ep.hasSecurityDisabled() and ep.getFile() = propFile and ep = jpOption.asSome()
|
||||
)
|
||||
or
|
||||
springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x
|
||||
exists(ManagementEndpointsExposeProperty ep |
|
||||
ep.getFile() = propFile and
|
||||
ep = jpOption.asSome() and
|
||||
(
|
||||
// all endpoints are exposed
|
||||
ep.getValue() = "*"
|
||||
or
|
||||
// version 2.x: exposes health and info only by default
|
||||
springBootVersion.matches("2.%") and
|
||||
not ep.getValue() = ["health", "info"]
|
||||
or
|
||||
// version 3.x: exposes health only by default
|
||||
springBootVersion.matches("3.%") and
|
||||
not ep.getValue() = "health"
|
||||
)
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>Spring Boot includes features called actuators that let you monitor and interact with your web
|
||||
application. Exposing unprotected actuator endpoints through configuration files can lead to
|
||||
information disclosure or even to remote code execution.</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them,
|
||||
and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring
|
||||
Security, which secures actuators by default, or define a custom security configuration.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>The following examples show <code>application.properties</code> configurations that expose sensitive
|
||||
actuator endpoints.</p>
|
||||
<sample src="application_bad.properties" />
|
||||
|
||||
<p>The below configurations ensure that sensitive actuator endpoints are not exposed.</p>
|
||||
<sample src="application_good.properties" />
|
||||
|
||||
<p>To use Spring Security, which secures actuators by default, add the <code>spring-boot-starter-security</code>
|
||||
dependency in your Maven <code>pom.xml</code> file.</p>
|
||||
<sample src="pom_good.xml" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
<li>
|
||||
Spring Boot Reference Documentation:
|
||||
<a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>.
|
||||
</li>
|
||||
<li>
|
||||
HackerOne Report:
|
||||
<a href="https://hackerone.com/reports/862589">Spring Actuator endpoints publicly available, leading to account takeover</a>
|
||||
</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
@@ -0,0 +1,20 @@
|
||||
/**
|
||||
* @name Exposed Spring Boot actuators in configuration file
|
||||
* @description Exposing Spring Boot actuators through configuration files may lead to information leak from
|
||||
* the internal application, or even to remote code execution.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.5
|
||||
* @precision high
|
||||
* @id java/spring-boot-exposed-actuators-config
|
||||
* @tags security
|
||||
* external/cwe/cwe-200
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.xml.MavenPom
|
||||
import semmle.code.java.security.SpringBootActuatorsConfigQuery
|
||||
|
||||
from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption
|
||||
where exposesSensitiveEndpoint(d, jpOption)
|
||||
select d, "Insecure Spring Boot actuator $@ exposes sensitive endpoints.", jpOption, "configuration"
|
||||
@@ -0,0 +1,10 @@
|
||||
# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default
|
||||
|
||||
# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
|
||||
management.security.enabled=false
|
||||
|
||||
# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
|
||||
management.endpoints.web.exposure.include=*
|
||||
|
||||
# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
|
||||
management.endpoints.web.exposure.include=*
|
||||
@@ -0,0 +1,11 @@
|
||||
# safe configuration (Spring Boot 1.0 - 1.4)
|
||||
management.security.enabled=true
|
||||
|
||||
# safe configuration (Spring Boot 1.5+)
|
||||
management.security.enabled=true
|
||||
|
||||
# safe configuration (Spring Boot 2.x): exposes health and info only by default
|
||||
management.endpoints.web.exposure.include=health,info
|
||||
|
||||
# safe configuration (Spring Boot 3.x): exposes health only by default
|
||||
management.endpoints.web.exposure.include=health
|
||||
@@ -0,0 +1,12 @@
|
||||
...
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!-- GOOD: Enable Spring Security -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
...
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* The query `java/insecure-spring-actuator-config` has been promoted from experimental to the main query pack as `java/spring-boot-exposed-actuators-config`. Its results will now appear by default. This query detects exposure of Spring Boot actuators through configuration files. It was originally submitted as an experimental query [by @luchua-bc](https://github.com/github/codeql/pull/5384).
|
||||
@@ -1,47 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
|
||||
and micro services. Spring Boot Actuator helps to expose production-ready support features against
|
||||
Spring Boot applications.</p>
|
||||
|
||||
<p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application.
|
||||
Exposing unprotected actuator endpoints through configuration files can lead to information disclosure
|
||||
or even remote code execution vulnerability.</p>
|
||||
|
||||
<p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
|
||||
developers simply leave management endpoints publicly accessible in the application configuration file
|
||||
<code>application.properties</code> without enforcing access control through Spring Security.</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce
|
||||
security checks on management endpoints using Spring Security. Otherwise accessing management endpoints
|
||||
on a different HTTP port other than the port that the web application is listening on also helps to
|
||||
improve the security.</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration,
|
||||
no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration,
|
||||
security is enforced and only endpoints requiring exposure are exposed.</p>
|
||||
<sample src="pom_good.xml" />
|
||||
<sample src="pom_bad.xml" />
|
||||
<sample src="application.properties" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
<li>
|
||||
Spring Boot documentation:
|
||||
<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a>
|
||||
</li>
|
||||
<li>
|
||||
VERACODE Blog:
|
||||
<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
|
||||
</li>
|
||||
<li>
|
||||
HackerOne Report:
|
||||
<a href="https://hackerone.com/reports/862589">Spring Actuator endpoints publicly available, leading to account takeover</a>
|
||||
</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
@@ -1,121 +0,0 @@
|
||||
/**
|
||||
* @name Insecure Spring Boot Actuator Configuration
|
||||
* @description Exposed Spring Boot Actuator through configuration files without declarative or procedural
|
||||
* security enforcement leads to information leak or even remote code execution.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/insecure-spring-actuator-config
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-016
|
||||
*/
|
||||
|
||||
/*
|
||||
* Note this query requires properties files to be indexed before it can produce results.
|
||||
* If creating your own database with the CodeQL CLI, you should run
|
||||
* `codeql database index-files --language=properties ...`
|
||||
* If using lgtm.com, you should add `properties_files: true` to the index block of your
|
||||
* lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.configfiles.ConfigFiles
|
||||
import semmle.code.xml.MavenPom
|
||||
|
||||
/** The parent node of the `org.springframework.boot` group. */
|
||||
class SpringBootParent extends Parent {
|
||||
SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
|
||||
}
|
||||
|
||||
/** Class of Spring Boot dependencies. */
|
||||
class SpringBootPom extends Pom {
|
||||
SpringBootPom() { this.getParentElement() instanceof SpringBootParent }
|
||||
|
||||
/** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */
|
||||
predicate isSpringBootActuatorUsed() {
|
||||
this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator"
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the Spring Boot Security module is used in the project, which brings in other security
|
||||
* related libraries.
|
||||
*/
|
||||
predicate isSpringBootSecurityUsed() {
|
||||
this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
|
||||
}
|
||||
}
|
||||
|
||||
/** The properties file `application.properties`. */
|
||||
class ApplicationProperties extends ConfigPair {
|
||||
ApplicationProperties() { this.getFile().getBaseName() = "application.properties" }
|
||||
}
|
||||
|
||||
/** The configuration property `management.security.enabled`. */
|
||||
class ManagementSecurityConfig extends ApplicationProperties {
|
||||
ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }
|
||||
|
||||
/** Gets the whitespace-trimmed value of this property. */
|
||||
string getValue() { result = this.getValueElement().getValue().trim() }
|
||||
|
||||
/** Holds if `management.security.enabled` is set to `false`. */
|
||||
predicate hasSecurityDisabled() { this.getValue() = "false" }
|
||||
|
||||
/** Holds if `management.security.enabled` is set to `true`. */
|
||||
predicate hasSecurityEnabled() { this.getValue() = "true" }
|
||||
}
|
||||
|
||||
/** The configuration property `management.endpoints.web.exposure.include`. */
|
||||
class ManagementEndPointInclude extends ApplicationProperties {
|
||||
ManagementEndPointInclude() {
|
||||
this.getNameElement().getName() = "management.endpoints.web.exposure.include"
|
||||
}
|
||||
|
||||
/** Gets the whitespace-trimmed value of this property. */
|
||||
string getValue() { result = this.getValueElement().getValue().trim() }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
|
||||
* has a vulnerable configuration of Spring Boot Actuator management endpoints.
|
||||
*/
|
||||
predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) {
|
||||
pom.isSpringBootActuatorUsed() and
|
||||
not pom.isSpringBootSecurityUsed() and
|
||||
ap.getFile()
|
||||
.getParentContainer()
|
||||
.getAbsolutePath()
|
||||
.matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
|
||||
exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() |
|
||||
springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
|
||||
not exists(ManagementSecurityConfig me |
|
||||
me.hasSecurityEnabled() and me.getFile() = ap.getFile()
|
||||
)
|
||||
or
|
||||
springBootVersion.matches("1.5%") and // version 1.5
|
||||
exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
|
||||
or
|
||||
springBootVersion.matches("2.%") and //version 2.x
|
||||
exists(ManagementEndPointInclude mi |
|
||||
mi.getFile() = ap.getFile() and
|
||||
(
|
||||
mi.getValue() = "*" // all endpoints are enabled
|
||||
or
|
||||
mi.getValue()
|
||||
.matches([
|
||||
"%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
|
||||
"%beans%", "%sessions%"
|
||||
]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
deprecated query predicate problems(Dependency d, string message) {
|
||||
exists(SpringBootPom pom |
|
||||
hasConfidentialEndPointExposed(pom, _) and
|
||||
d = pom.getADependency() and
|
||||
d.getArtifact().getValue() = "spring-boot-starter-actuator"
|
||||
) and
|
||||
message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
|
||||
}
|
||||
@@ -1,22 +0,0 @@
|
||||
#management.endpoints.web.base-path=/admin
|
||||
|
||||
|
||||
#### BAD: All management endpoints are accessible ####
|
||||
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
|
||||
# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
|
||||
management.security.enabled=false
|
||||
|
||||
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
|
||||
management.endpoints.web.exposure.include=*
|
||||
|
||||
|
||||
#### GOOD: All management endpoints have access control ####
|
||||
# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
management.security.enabled=true
|
||||
|
||||
# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
|
||||
management.security.enabled=true
|
||||
|
||||
# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
|
||||
management.endpoints.web.exposure.include=beans,info,health
|
||||
@@ -1 +0,0 @@
|
||||
| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
|
||||
@@ -1,13 +0,0 @@
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
|
||||
@Controller
|
||||
public class SensitiveInfo {
|
||||
@RequestMapping
|
||||
public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception {
|
||||
if (!username.equals("") && password.equals("")) {
|
||||
//Blank processing
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
#management.endpoints.web.base-path=/admin
|
||||
|
||||
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
|
||||
# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
|
||||
management.security.enabled=false
|
||||
|
||||
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
|
||||
management.endpoints.web.exposure.include=*
|
||||
management.endpoints.web.exposure.exclude=beans
|
||||
|
||||
management.endpoint.shutdown.enabled=true
|
||||
|
||||
management.endpoint.health.show-details=when_authorized
|
||||
@@ -0,0 +1,8 @@
|
||||
| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | file://:0:0:0:0 | (none) | configuration |
|
||||
| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
|
||||
| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
|
||||
| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration |
|
||||
| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
|
||||
| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration |
|
||||
| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
|
||||
| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration |
|
||||
@@ -0,0 +1,2 @@
|
||||
query: Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1 @@
|
||||
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
@@ -17,7 +17,7 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.3.8.RELEASE</version>
|
||||
<version>1.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
@@ -29,18 +29,15 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!-- BAD: No Spring Security enabled -->
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
management.security.enabled=false
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>1.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
|
||||
management.security.enabled=true
|
||||
@@ -17,7 +17,7 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.3.8.RELEASE</version>
|
||||
<version>1.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
@@ -34,13 +34,10 @@
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!-- GOOD: Enable Spring Security -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
@@ -0,0 +1,2 @@
|
||||
# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
|
||||
management.security.enabled=false
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>1.5.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
|
||||
management.security.enabled=true
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>1.5.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 2.0.0.RC1): exposes health and info only by default, here overridden to expose everything
|
||||
management.endpoints.web.expose=*
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
|
||||
management.endpoints.web.exposure.include=*
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to also expose beans
|
||||
management.endpoints.web.exposure.include=health,info,beans
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# safe configuration (spring boot 2+): exposes health and info only by default
|
||||
management.endpoints.web.exposure.include=info,health
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.2.6.RELEASE</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to expose everything
|
||||
management.endpoints.web.exposure.include=*
|
||||
@@ -17,7 +17,7 @@
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>2.3.8.RELEASE</version>
|
||||
<version>3.3.5</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
@@ -0,0 +1,2 @@
|
||||
# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to also expose info and beans
|
||||
management.endpoints.web.exposure.include=health,info,beans
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>3.3.5</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency> <!-- $ Alert -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<!-- dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -0,0 +1,2 @@
|
||||
# safe configuration (spring boot 3+): exposes health only by default.
|
||||
management.endpoints.web.exposure.include=health
|
||||
@@ -0,0 +1,47 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
|
||||
<groupId>spring-boot-actuator-app</groupId>
|
||||
<artifactId>spring-boot-actuator-app</artifactId>
|
||||
<version>1.0-SNAPSHOT</version>
|
||||
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
</properties>
|
||||
|
||||
<parent>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-parent</artifactId>
|
||||
<version>3.3.5</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-web</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-actuator</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-devtools</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-starter-security</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.boot</groupId>
|
||||
<artifactId>spring-boot-test</artifactId>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.8.x
|
||||
Reference in New Issue
Block a user