Java: edit qhelp

Author: Jami Cogswell

java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java

@@ -1,22 +1,25 @@
 @Configuration(proxyBeanMethods = false)
-public class SpringBootActuators extends WebSecurityConfigurerAdapter {
+public class CustomSecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
+        http.securityMatcher(EndpointRequest.toAnyEndpoint());
+        http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
+        return http.build();
+    }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().permitAll());
-  }
 }
 
 @Configuration(proxyBeanMethods = false)
-public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
+public class CustomSecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
+        http.securityMatcher(EndpointRequest.toAnyEndpoint());
+        http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+        return http.build();
+    }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-    http.httpBasic();
-  }
 }

java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp

@@ -3,24 +3,24 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Spring Boot includes a number of additional features called actuators that let you monitor
-and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP
-can, however, lead to information disclosure or even to remote code execution vulnerability.</p>
+<p>Spring Boot includes features called actuators that let you monitor and interact with your
+web application. Exposing unprotected actuator endpoints can lead to information disclosure or
+even to remote code execution.</p>
 </overview>
 
 <recommendation>
-<p>Since actuator endpoints may contain sensitive information, careful consideration should be
-given about when to expose them. You should take care to secure exposed HTTP endpoints in the same
-way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by
-default using Spring Security’s content-negotiation strategy. If you wish to configure custom
-security for HTTP endpoints, for example, only allow users with a certain role to access them,
-Spring Boot provides some convenient <code>RequestMatcher</code> objects that can be used in
-combination with Spring Security.</p>
+<p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them,
+and secure them as you would any sensitive URL. Actuators are secured by default when using Spring
+Security without a custom configuration. If you wish to define a custom security configuration,
+consider only allowing users with certain roles access to the endpoints.
+</p>
+
 </recommendation>
 
 <example>
 <p>In the first example, the custom security configuration allows unauthenticated access to all
 actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
+
 <p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
 the actuator endpoints.</p>
 
@@ -29,11 +29,8 @@ the actuator endpoints.</p>
 
 <references>
 <li>
-Spring Boot documentation:
-<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Actuators</a>.
-</li>
-<li>
-<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+Spring Boot Reference Documentation:
+<a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>.
 </li>
 </references>
 </qhelp>

java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java

@@ -265,17 +265,17 @@ protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throw
     http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
   }
 
-  // Spring doc example
-  // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security
-  public void securityFilterChain(HttpSecurity http) throws Exception {
-		http.securityMatcher(EndpointRequest.toAnyEndpoint());
-		http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
-	}
+  // QHelp Bad example
+  public void securityFilterChain1(HttpSecurity http) throws Exception {
+    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
+    http.securityMatcher(EndpointRequest.toAnyEndpoint());
+    http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+  }
 
   // QHelp Good example
-  protected void configureQhelpGood(HttpSecurity http) throws Exception {
+  public void securityFilterChain2(HttpSecurity http) throws Exception {
     // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+    http.securityMatcher(EndpointRequest.toAnyEndpoint());
+    http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
   }
 }