Merge pull request #18793 from jcogs33/jcogs33/java/spring-boot-actuators-promo

Java: Promote Spring Boot Actuators query from experimental

java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll

@@ -0,0 +1,24 @@
+/**
+ * Provides classes for working with Spring classes and interfaces from
+ * `org.springframework.boot.*`.
+ */
+
+import java
+
+/**
+ * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`.
+ */
+class SpringEndpointRequest extends Class {
+  SpringEndpointRequest() {
+    this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
+      "EndpointRequest")
+  }
+}
+
+/** A call to `EndpointRequest.toAnyEndpoint` method. */
+class SpringToAnyEndpointCall extends MethodCall {
+  SpringToAnyEndpointCall() {
+    this.getMethod().hasName("toAnyEndpoint") and
+    this.getMethod().getDeclaringType() instanceof SpringEndpointRequest
+  }
+}

java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll

@@ -0,0 +1,124 @@
+/**
+ * Provides classes for working with Spring classes and interfaces from
+ * `org.springframework.security.*`.
+ */
+
+import java
+
+/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
+class SpringHttpSecurity extends Class {
+  SpringHttpSecurity() {
+    this.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
+      "HttpSecurity")
+  }
+}
+
+/**
+ * The class
+ * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer$AuthorizedUrl`
+ * or the class
+ * `org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$AuthorizedUrl`.
+ */
+class SpringAuthorizedUrl extends Class {
+  SpringAuthorizedUrl() {
+    this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
+      [
+        "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>",
+        "AuthorizeHttpRequestsConfigurer<HttpSecurity>$AuthorizedUrl<>"
+      ])
+  }
+}
+
+/**
+ * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`.
+ */
+class SpringAbstractRequestMatcherRegistry extends Class {
+  SpringAbstractRequestMatcherRegistry() {
+    this.hasQualifiedName("org.springframework.security.config.annotation.web",
+      "AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
+  }
+}
+
+/**
+ * A call to the `HttpSecurity.authorizeRequests` method.
+ *
+ * Note: this method is deprecated and scheduled for removal
+ * in Spring Security 7.0.
+ */
+class SpringAuthorizeRequestsCall extends MethodCall {
+  SpringAuthorizeRequestsCall() {
+    this.getMethod().hasName("authorizeRequests") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/**
+ * A call to the `HttpSecurity.authorizeHttpRequests` method.
+ *
+ * Note: the no-argument version of this method is deprecated
+ * and scheduled for removal in Spring Security 7.0.
+ */
+class SpringAuthorizeHttpRequestsCall extends MethodCall {
+  SpringAuthorizeHttpRequestsCall() {
+    this.getMethod().hasName("authorizeHttpRequests") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/**
+ * A call to the `HttpSecurity.requestMatcher` method.
+ *
+ * Note: this method was removed in Spring Security 6.0.
+ * It was replaced by `securityMatcher`.
+ */
+class SpringRequestMatcherCall extends MethodCall {
+  SpringRequestMatcherCall() {
+    this.getMethod().hasName("requestMatcher") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/**
+ * A call to the `HttpSecurity.requestMatchers` method.
+ *
+ * Note: this method was removed in Spring Security 6.0.
+ * It was replaced by `securityMatchers`.
+ */
+class SpringRequestMatchersCall extends MethodCall {
+  SpringRequestMatchersCall() {
+    this.getMethod().hasName("requestMatchers") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/** A call to the `HttpSecurity.securityMatcher` method. */
+class SpringSecurityMatcherCall extends MethodCall {
+  SpringSecurityMatcherCall() {
+    this.getMethod().hasName("securityMatcher") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/** A call to the `HttpSecurity.securityMatchers` method. */
+class SpringSecurityMatchersCall extends MethodCall {
+  SpringSecurityMatchersCall() {
+    this.getMethod().hasName("securityMatchers") and
+    this.getMethod().getDeclaringType() instanceof SpringHttpSecurity
+  }
+}
+
+/** A call to the `AuthorizedUrl.permitAll` method. */
+class SpringPermitAllCall extends MethodCall {
+  SpringPermitAllCall() {
+    this.getMethod().hasName("permitAll") and
+    this.getMethod().getDeclaringType() instanceof SpringAuthorizedUrl
+  }
+}
+
+/** A call to the `AbstractRequestMatcherRegistry.anyRequest` method. */
+class SpringAnyRequestCall extends MethodCall {
+  SpringAnyRequestCall() {
+    this.getMethod().hasName("anyRequest") and
+    this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry
+  }
+}

java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll

@@ -0,0 +1,110 @@
+/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */
+
+import java
+private import semmle.code.java.frameworks.spring.SpringSecurity
+private import semmle.code.java.frameworks.spring.SpringBoot
+
+/**
+ * A call to an `HttpSecurity` matcher method with argument
+ * `EndpointRequest.toAnyEndpoint()`.
+ */
+private class HttpSecurityMatcherCall extends MethodCall {
+  HttpSecurityMatcherCall() {
+    (
+      this instanceof SpringRequestMatcherCall or
+      this instanceof SpringSecurityMatcherCall
+    ) and
+    this.getArgument(0) instanceof SpringToAnyEndpointCall
+  }
+}
+
+/**
+ * A call to an `HttpSecurity` matchers method with lambda
+ * argument `EndpointRequest.toAnyEndpoint()`.
+ */
+private class HttpSecurityMatchersCall extends MethodCall {
+  HttpSecurityMatchersCall() {
+    (
+      this instanceof SpringRequestMatchersCall or
+      this instanceof SpringSecurityMatchersCall
+    ) and
+    this.getArgument(0).(LambdaExpr).getExprBody() instanceof SpringToAnyEndpointCall
+  }
+}
+
+/**
+ * A call to an `AbstractRequestMatcherRegistry.requestMatchers` method with
+ * argument `EndpointRequest.toAnyEndpoint()`.
+ */
+private class RegistryRequestMatchersCall extends MethodCall {
+  RegistryRequestMatchersCall() {
+    this.getMethod().hasName("requestMatchers") and
+    this.getMethod().getDeclaringType() instanceof SpringAbstractRequestMatcherRegistry and
+    this.getAnArgument() instanceof SpringToAnyEndpointCall
+  }
+}
+
+/** A call to an `HttpSecurity` method that authorizes requests. */
+private class AuthorizeCall extends MethodCall {
+  AuthorizeCall() {
+    this instanceof SpringAuthorizeRequestsCall or
+    this instanceof SpringAuthorizeHttpRequestsCall
+  }
+}
+
+/** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */
+predicate permitsSpringBootActuators(SpringPermitAllCall permitAllCall) {
+  exists(AuthorizeCall authorizeCall |
+    // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
+    authorizeCall.getQualifier() instanceof HttpSecurityMatcherCall
+    or
+    // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
+    authorizeCall.getQualifier() instanceof HttpSecurityMatchersCall
+  |
+    // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
+    // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
+    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+    (
+      permitAllCall.getQualifier() instanceof SpringAnyRequestCall or
+      permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
+    )
+    or
+    // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
+    // [...].authorizeRequests().anyRequest().permitAll()
+    authorizeCall.getNumArgument() = 0 and
+    exists(RegistryRequestMatchersCall registryRequestMatchersCall |
+      registryRequestMatchersCall.getQualifier() = authorizeCall and
+      permitAllCall.getQualifier() = registryRequestMatchersCall
+    )
+    or
+    exists(SpringAnyRequestCall anyRequestCall |
+      anyRequestCall.getQualifier() = authorizeCall and
+      permitAllCall.getQualifier() = anyRequestCall
+    )
+  )
+  or
+  exists(AuthorizeCall authorizeCall |
+    // http.authorizeRequests([...]).[...]
+    authorizeCall.getQualifier() instanceof VarAccess
+  |
+    // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
+    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+    permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
+    or
+    // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
+    authorizeCall.getNumArgument() = 0 and
+    exists(RegistryRequestMatchersCall registryRequestMatchersCall |
+      registryRequestMatchersCall.getQualifier() = authorizeCall and
+      permitAllCall.getQualifier() = registryRequestMatchersCall
+    )
+    or
+    exists(Variable v, HttpSecurityMatcherCall matcherCall |
+      // http.securityMatcher(EndpointRequest.toAnyEndpoint());
+      // http.authorizeRequests([...].permitAll())
+      v.getAnAccess() = authorizeCall.getQualifier() and
+      v.getAnAccess() = matcherCall.getQualifier() and
+      authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+      permitAllCall.getQualifier() instanceof SpringAnyRequestCall
+    )
+  )
+}