Update SpringCsrfProtection.qll

This commit is contained in:
Mauro Baluda
2024-05-30 23:13:08 +02:00
committed by GitHub
parent e2479a7ce2
commit bbe888c2b3

View File

@@ -5,15 +5,9 @@ import java
/** Holds if `call` disables CSRF protection in Spring. */
predicate disablesSpringCsrfProtection(MethodCall call) {
call.getMethod().hasName("disable") and
(
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"CsrfConfigurer<HttpSecurity>")
or
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec")
)
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"CsrfConfigurer<HttpSecurity>")
or
call.getMethod()
.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
@@ -23,4 +17,18 @@ predicate disablesSpringCsrfProtection(MethodCall call) {
.getReferencedCallable()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"AbstractHttpConfigurer", "disable")
or
call.getMethod().hasName("disable") and
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec")
or
call.getMethod()
.hasQualifiedName("org.springframework.security.config.web.server", "ServerHttpSecurity",
"csrf") and
call.getArgument(0)
.(MemberRefExpr)
.getReferencedCallable()
.hasQualifiedName("org.springframework.security.config.web.server",
"ServerHttpSecurity$CsrfSpec", "disable")
}