hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add check for disabled CSRF protection in Spring

Browse Source 
Fix the help according to review comments.
This commit is contained in:
Grzegorz Golawski
2020-01-21 21:54:36 +01:00
parent 4ce25c045d
commit c5a974788b
2 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
View File

@@ -2,30 +2,29 @@
<qhelp> <qhelp>
<overview> <overview>
<p>When a web server is designed to receive a request from a client without any mechanism <p>When you set up a web server to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it might be possible for an attacker for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
to trick a client into making an unintentional request to the web server which will be treated trick a client into making an unintended request to the web server that will be treated as
as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
result in exposure of data or unintended code execution.</p> result in exposure of data or unintended code execution.</p>
</overview> </overview>
<recommendation> <recommendation>
<p>Cross-Site Request Forgery (CSRF) protection is enabled by default in Spring with Java <p>Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
configuration. It's recommended to not disable this.</p> is to use CSRF protection for any request that could be processed by a browser client by normal
users.</p>
</recommendation> </recommendation>
<example> <example>
<p>The following example shows the Spring Java configuration with CSRF protection disabled.</p> <p>The following example shows the Spring Java configuration with CSRF protection disabled.
This type of configuration should only be used if you are creating a service that is used only
by non-browser clients.</p>
<sample src="SpringCSRFProtection.java" /> <sample src="SpringCSRFProtection.java" />
</example> </example>
<references> <references>
<li> <li>
CWE:
<a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352: Cross-Site Request Forgery (CSRF)</a>.
</li>
<li>
OWASP: OWASP:
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>. <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
</li> </li>

2
java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
View File

@@ -1,7 +1,7 @@
/** /**
* @name Disabled Spring CSRF protection * @name Disabled Spring CSRF protection
* @description Disabling CSRF protection makes the application vulnerable to * @description Disabling CSRF protection makes the application vulnerable to
* Cross-Site Request Forgery (CSRF) attack. * a Cross-Site Request Forgery (CSRF) attack.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @precision high * @precision high