mirror of
https://github.com/github/codeql.git
synced 2026-04-28 18:25:24 +02:00
Merge pull request #18793 from jcogs33/jcogs33/java/spring-boot-actuators-promo
Java: Promote Spring Boot Actuators query from experimental
This commit is contained in:
Jami
@@ -1,7 +0,0 @@
|
||||
| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
@@ -1,104 +0,0 @@
|
||||
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
|
||||
public class SpringBootActuators {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configure2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configure5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll());
|
||||
}
|
||||
|
||||
protected void configure7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk2(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk3(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk4(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(authz -> authz.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-016/SpringBootActuators.ql
|
||||
@@ -0,0 +1,281 @@
|
||||
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
|
||||
public class SpringBootActuatorsTest {
|
||||
// Spring security version 5.2.3 used `authorizeRequests` and `requestMatcher(s)`
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configureOk1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk2(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk3(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk4(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(authz -> authz.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
|
||||
// Spring security version 5.5.0 introduced `authorizeHttpRequests`
|
||||
protected void configure_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure2_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure3_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure4_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure5_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure6_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure7_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configureOk3_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk4_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints1_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints2_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints3_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints4_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints5_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints6_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints7_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll1_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll2_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll3_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll4_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll5_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll6_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll7_authorizeHttpRequests(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
|
||||
}
|
||||
|
||||
// Spring security version 5.8.0 introduced `securityMatcher(s)`
|
||||
protected void configure_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure2_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure3_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure4_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configure7_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
protected void configureOk1_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk2_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints1_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints2_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints3_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints4_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints7_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll1_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll2_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll3_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {
|
||||
http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
|
||||
}
|
||||
|
||||
// QHelp Bad example
|
||||
public void securityFilterChain1(HttpSecurity http) throws Exception {
|
||||
// BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint());
|
||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
|
||||
}
|
||||
|
||||
// QHelp Good example
|
||||
public void securityFilterChain2(HttpSecurity http) throws Exception {
|
||||
// GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
|
||||
http.securityMatcher(EndpointRequest.toAnyEndpoint());
|
||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
import java
|
||||
import semmle.code.java.frameworks.spring.SpringSecurity
|
||||
import semmle.code.java.security.SpringBootActuatorsQuery
|
||||
import utils.test.InlineExpectationsTest
|
||||
|
||||
module SpringBootActuatorsTest implements TestSig {
|
||||
string getARelevantTag() { result = "hasExposedSpringBootActuator" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasExposedSpringBootActuator" and
|
||||
exists(SpringPermitAllCall permitAllCall | permitsSpringBootActuators(permitAllCall) |
|
||||
permitAllCall.getLocation() = location and
|
||||
element = permitAllCall.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<SpringBootActuatorsTest>
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.3.8
|
||||
@@ -9,6 +9,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
|
||||
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
|
||||
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
|
||||
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
|
||||
|
||||
public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>
|
||||
@@ -18,6 +19,14 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
||||
return this;
|
||||
}
|
||||
|
||||
public HttpSecurity securityMatcher(RequestMatcher requestMatcher) {
|
||||
return this;
|
||||
}
|
||||
|
||||
public HttpSecurity securityMatcher(String... patterns) {
|
||||
return this;
|
||||
}
|
||||
|
||||
public HttpSecurity authorizeRequests(
|
||||
Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer)
|
||||
throws Exception {
|
||||
@@ -29,6 +38,17 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
||||
return null;
|
||||
}
|
||||
|
||||
public HttpSecurity authorizeHttpRequests(
|
||||
Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer)
|
||||
throws Exception {
|
||||
return this;
|
||||
}
|
||||
|
||||
public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
|
||||
throws Exception {
|
||||
return null;
|
||||
}
|
||||
|
||||
public HttpSecurity requestMatchers(Customizer<RequestMatcherConfigurer> requestMatcherCustomizer) {
|
||||
return this;
|
||||
}
|
||||
@@ -37,6 +57,14 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
|
||||
return null;
|
||||
}
|
||||
|
||||
public HttpSecurity securityMatchers(Customizer<RequestMatcherConfigurer> requestMatcherCustomizer) {
|
||||
return this;
|
||||
}
|
||||
|
||||
public RequestMatcherConfigurer securityMatchers() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public CsrfConfigurer<HttpSecurity> csrf() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
|
||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
|
||||
public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>
|
||||
extends AbstractHttpConfigurer<AuthorizeHttpRequestsConfigurer<H>, H> {
|
||||
|
||||
public final class AuthorizationManagerRequestMatcherRegistry extends
|
||||
AbstractRequestMatcherRegistry<AuthorizedUrl> {
|
||||
}
|
||||
|
||||
public class AuthorizedUrl {
|
||||
public AuthorizationManagerRequestMatcherRegistry permitAll() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public AuthorizationManagerRequestMatcherRegistry hasRole(String role) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -12,5 +12,9 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
||||
public ExpressionInterceptUrlRegistry permitAll() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public ExpressionInterceptUrlRegistry hasRole(String role) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user