hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 15:55:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Improve java/spring-disabled-csrf-protection

Browse Source
This commit is contained in:
Tony Torralba
2023-10-16 15:49:25 +02:00
parent 1297acf5b1
commit d08ee76b16
10 changed files with 78 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
View File

@@ -12,11 +12,8 @@
*/
import java
import semmle.code.java.security.SpringCsrfProtection
from MethodAccess call
where
call.getMethod().hasName("disable") and
call.getReceiverType()
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
"CsrfConfigurer<HttpSecurity>")
where disablesSpringCsrfProtection(call)
select call, "CSRF vulnerability due to protection being disabled."

4
java/ql/src/change-notes/2023-10-16-spring-disabled-csrf-protection-improved.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring.