Merge pull request #18793 from jcogs33/jcogs33/java/spring-boot-actuators-promo

Java: Promote Spring Boot Actuators query from experimental
2026-04-24 00:05:14 +02:00 · 2025-03-11 14:42:14 -04:00
parent da720b8b6e ad63dd946c
commit ea9b0462bf
21 changed files with 698 additions and 350 deletions
--- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java
+++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java
@@ -0,0 +1,25 @@
+@Configuration(proxyBeanMethods = false)
+public class CustomSecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
+        http.securityMatcher(EndpointRequest.toAnyEndpoint());
+        http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
+        return http.build();
+    }
+
+}
+
+@Configuration(proxyBeanMethods = false)
+public class CustomSecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
+        http.securityMatcher(EndpointRequest.toAnyEndpoint());
+        http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+        return http.build();
+    }
+
+}
--- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp
+++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Spring Boot includes features called actuators that let you monitor and interact with your
+web application. Exposing unprotected actuator endpoints can lead to information disclosure or
+even to remote code execution.</p>
+</overview>
+
+<recommendation>
+<p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them,
+and secure them as you would any sensitive URL. Actuators are secured by default when using Spring
+Security without a custom configuration. If you wish to define a custom security configuration,
+consider only allowing users with certain roles to access these endpoints.
+</p>
+
+</recommendation>
+
+<example>
+<p>In the first example, the custom security configuration allows unauthenticated access to all
+actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
+
+<p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
+the actuator endpoints.</p>
+
+<sample src="SpringBootActuators.java" />
+</example>
+
+<references>
+<li>
+Spring Boot Reference Documentation:
+<a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>.
+</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Exposed Spring Boot actuators
+ * @description Exposing Spring Boot actuators may lead to information leak from the internal application,
+ *              or even to remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 6.5
+ * @precision high
+ * @id java/spring-boot-exposed-actuators
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import java
+import semmle.code.java.frameworks.spring.SpringSecurity
+import semmle.code.java.security.SpringBootActuatorsQuery
+
+from SpringPermitAllCall permitAllCall
+where permitsSpringBootActuators(permitAllCall)
+select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
--- a/java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md
+++ b/java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java
@@ -1,22 +0,0 @@
-@Configuration(proxyBeanMethods = false)
-public class SpringBootActuators extends WebSecurityConfigurerAdapter {
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().permitAll());
-  }
-}
-
-@Configuration(proxyBeanMethods = false)
-public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
-
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-    http.httpBasic();
-  }
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp
@@ -1,39 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Spring Boot includes a number of additional features called actuators that let you monitor
-and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP
-can, however, lead to information disclosure or even to remote code execution vulnerability.</p>
-</overview>
-
-<recommendation>
-<p>Since actuator endpoints may contain sensitive information, careful consideration should be
-given about when to expose them. You should take care to secure exposed HTTP endpoints in the same
-way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by
-default using Spring Security’s content-negotiation strategy. If you wish to configure custom
-security for HTTP endpoints, for example, only allow users with a certain role to access them,
-Spring Boot provides some convenient <code>RequestMatcher</code> objects that can be used in
-combination with Spring Security.</p>
-</recommendation>
-
-<example>
-<p>In the first example, the custom security configuration allows unauthenticated access to all
-actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
-<p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
-the actuator endpoints.</p>
-
-<sample src="SpringBootActuators.java" />
-</example>
-
-<references>
-<li>
-Spring Boot documentation:
-<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Actuators</a>.
-</li>
-<li>
-<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
-</li>
-</references>
-</qhelp>
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -1,20 +0,0 @@
-/**
- * @name Exposed Spring Boot actuators
- * @description Exposing Spring Boot actuators may lead to internal application's information leak
- *              or even to remote code execution.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id java/spring-boot-exposed-actuators
- * @tags security
- *       experimental
- *       external/cwe/cwe-16
- */
-
-import java
-deprecated import SpringBootActuators
-
-deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
-  permitAllCall.permitsSpringBootActuators() and
-  message = "Unauthenticated access to Spring Boot actuator is allowed."
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
@@ -1,157 +0,0 @@
-deprecated module;
-
-import java
-
-/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
-class TypeHttpSecurity extends Class {
-  TypeHttpSecurity() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
-      "HttpSecurity")
-  }
-}
-
-/**
- * The class
- * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`.
- */
-class TypeAuthorizedUrl extends Class {
-  TypeAuthorizedUrl() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
-      "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>")
-  }
-}
-
-/**
- * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`.
- */
-class TypeAbstractRequestMatcherRegistry extends Class {
-  TypeAbstractRequestMatcherRegistry() {
-    this.hasQualifiedName("org.springframework.security.config.annotation.web",
-      "AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
-  }
-}
-
-/**
- * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`.
- */
-class TypeEndpointRequest extends Class {
-  TypeEndpointRequest() {
-    this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
-      "EndpointRequest")
-  }
-}
-
-/** A call to `EndpointRequest.toAnyEndpoint` method. */
-class ToAnyEndpointCall extends MethodCall {
-  ToAnyEndpointCall() {
-    this.getMethod().hasName("toAnyEndpoint") and
-    this.getMethod().getDeclaringType() instanceof TypeEndpointRequest
-  }
-}
-
-/**
- * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`.
- */
-class RequestMatcherCall extends MethodCall {
-  RequestMatcherCall() {
-    this.getMethod().hasName("requestMatcher") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
-    this.getArgument(0) instanceof ToAnyEndpointCall
-  }
-}
-
-/**
- * A call to `HttpSecurity.requestMatchers` method with lambda argument
- * `RequestMatcher.toAnyEndpoint()`.
- */
-class RequestMatchersCall extends MethodCall {
-  RequestMatchersCall() {
-    this.getMethod().hasName("requestMatchers") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
-    this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall
-  }
-}
-
-/** A call to `HttpSecurity.authorizeRequests` method. */
-class AuthorizeRequestsCall extends MethodCall {
-  AuthorizeRequestsCall() {
-    this.getMethod().hasName("authorizeRequests") and
-    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
-  }
-}
-
-/** A call to `AuthorizedUrl.permitAll` method. */
-class PermitAllCall extends MethodCall {
-  PermitAllCall() {
-    this.getMethod().hasName("permitAll") and
-    this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl
-  }
-
-  /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */
-  predicate permitsSpringBootActuators() {
-    exists(AuthorizeRequestsCall authorizeRequestsCall |
-      // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall
-      or
-      // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall
-    |
-      // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
-      // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-      authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and
-      (
-        this.getQualifier() instanceof AnyRequestCall or
-        this.getQualifier() instanceof RegistryRequestMatchersCall
-      )
-      or
-      // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
-      // [...].authorizeRequests().anyRequest().permitAll()
-      authorizeRequestsCall.getNumArgument() = 0 and
-      exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-        registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = registryRequestMatchersCall
-      )
-      or
-      exists(AnyRequestCall anyRequestCall |
-        anyRequestCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = anyRequestCall
-      )
-    )
-    or
-    exists(AuthorizeRequestsCall authorizeRequestsCall |
-      // http.authorizeRequests([...]).[...]
-      authorizeRequestsCall.getQualifier() instanceof VarAccess
-    |
-      // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-      authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and
-      this.getQualifier() instanceof RegistryRequestMatchersCall
-      or
-      // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
-      authorizeRequestsCall.getNumArgument() = 0 and
-      exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-        registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
-        this.getQualifier() = registryRequestMatchersCall
-      )
-    )
-  }
-}
-
-/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */
-class AnyRequestCall extends MethodCall {
-  AnyRequestCall() {
-    this.getMethod().hasName("anyRequest") and
-    this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry
-  }
-}
-
-/**
- * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument
- * `RequestMatcher.toAnyEndpoint()`.
- */
-class RegistryRequestMatchersCall extends MethodCall {
-  RegistryRequestMatchersCall() {
-    this.getMethod().hasName("requestMatchers") and
-    this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and
-    this.getAnArgument() instanceof ToAnyEndpointCall
-  }
-}