hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update SpringCsrfProtection.qll

Browse Source
This commit is contained in:
Mauro Baluda
2024-05-30 23:13:08 +02:00
committed by GitHub
parent e2479a7ce2
commit bbe888c2b3
1 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
java/ql/lib/semmle/code/java/security/SpringCsrfProtection.qll
View File

@@ -5,15 +5,9 @@ import java
/** Holds if `call` disables CSRF protection in Spring. */
predicate disablesSpringCsrfProtection(MethodCall call) {
call.getMethod().hasName("disable") and
(
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"CsrfConfigurer<HttpSecurity>")
or
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec")
)
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"CsrfConfigurer<HttpSecurity>")
or
call.getMethod()
.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
@@ -23,4 +17,18 @@ predicate disablesSpringCsrfProtection(MethodCall call) {
.getReferencedCallable()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"AbstractHttpConfigurer", "disable")
or
call.getMethod().hasName("disable") and
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec")
or
call.getMethod()
.hasQualifiedName("org.springframework.security.config.web.server", "ServerHttpSecurity",
"csrf") and
call.getArgument(0)
.(MemberRefExpr)
.getReferencedCallable()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec", "disable")
}