hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: support version 3.x

Browse Source
This commit is contained in:
Jami Cogswell
2025-07-17 11:21:17 -04:00
parent afa6610cb9
commit ea35fbbe3b
23 changed files with 109 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
View File

@@ -110,7 +110,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome()
)
or
springBootVersion.matches("2.%") and //version 2.x
springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x
exists(ManagementEndPointInclude mi |
mi.getFile() = apFile and
mi = apOption.asSome() and
@@ -121,7 +121,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
.matches([
"%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%",
"%env%", "%beans%", "%sessions%"
]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring
)
)
)

9
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected
View File

@@ -1,4 +1,5 @@
| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration |
| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration |
| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties
View File

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml
View File

14
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties
View File

@@ -1,14 +0,0 @@
#management.endpoints.web.base-path=/admin
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
management.security.enabled=false
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=beans
management.endpoint.shutdown.enabled=true
management.endpoint.health.show-details=when_authorized

7
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties
View File

@@ -1,7 +0,0 @@
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=beans
management.endpoint.shutdown.enabled=true
management.endpoint.health.show-details=when_authorized

2
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties
View File

@@ -1,2 +0,0 @@
# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
management.endpoints.web.exposure.include=beans,info,health

2
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties Normal file
View File

@@ -0,0 +1,2 @@
# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
management.endpoints.web.exposure.include=*

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml
View File

2
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties Normal file
View File

@@ -0,0 +1,2 @@
# safe configuration (spring boot 2+): exposes health and info only by default
management.endpoints.web.exposure.include=info,health

0
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml
View File

2
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties Normal file
View File

@@ -0,0 +1,2 @@
# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to expose everything
management.endpoints.web.exposure.include=*

47
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml Normal file
View File

@@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>spring-boot-actuator-app</groupId>
<artifactId>spring-boot-actuator-app</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.5</version>
<relativePath/>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency> <!-- $ Alert -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
</dependency>
<!-- dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-test</artifactId>
</dependency>
</dependencies>
</project>

2
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties Normal file
View File

@@ -0,0 +1,2 @@
# safe configuration (spring boot 3+): exposes health only by default.
management.endpoints.web.exposure.include=health

47
java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml Normal file
View File

@@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>spring-boot-actuator-app</groupId>
<artifactId>spring-boot-actuator-app</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.5</version>
<relativePath/>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-test</artifactId>
</dependency>
</dependencies>
</project>