hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add check for disabled CSRF protection in Spring

Browse Source 
Fix the help according to review comments.
This commit is contained in:
Grzegorz Golawski
2020-01-21 21:54:36 +01:00
parent 4ce25c045d
commit c5a974788b
2 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
View File

@@ -2,30 +2,29 @@
<qhelp>
<overview>
<p>When a web server is designed to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it might be possible for an attacker
to trick a client into making an unintentional request to the web server which will be treated
as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
<p>When you set up a web server to receive a request from a client without any mechanism
for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
trick a client into making an unintended request to the web server that will be treated as
an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
result in exposure of data or unintended code execution.</p>
</overview>
<recommendation>
<p>Cross-Site Request Forgery (CSRF) protection is enabled by default in Spring with Java
configuration. It's recommended to not disable this.</p>
<p>Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
is to use CSRF protection for any request that could be processed by a browser client by normal
users.</p>
</recommendation>
<example>
<p>The following example shows the Spring Java configuration with CSRF protection disabled.</p>
<p>The following example shows the Spring Java configuration with CSRF protection disabled.
This type of configuration should only be used if you are creating a service that is used only
by non-browser clients.</p>
<sample src="SpringCSRFProtection.java" />
</example>
<references>
<li>
CWE:
<a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352: Cross-Site Request Forgery (CSRF)</a>.
</li>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
</li>

2
java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Disabled Spring CSRF protection
* @description Disabling CSRF protection makes the application vulnerable to
* Cross-Site Request Forgery (CSRF) attack.
* a Cross-Site Request Forgery (CSRF) attack.
* @kind problem
* @problem.severity error
* @precision high