Add check for disabled CSRF protection in Spring

ggolawski · ggolawski · commit 5596944926d0 · 2020-01-22T21:27:34.000+01:00
Fix help and correct formatting.
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
@@ -10,7 +10,7 @@ result in exposure of data or unintended code execution.</p>
 </overview>
 
 <recommendation>
-<p>Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
+<p>When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
 is to use CSRF protection for any request that could be processed by a browser client by normal
 users.</p>
 </recommendation>
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -15,8 +15,8 @@ import java
 from MethodAccess call
 where
   call.getMethod().hasName("disable") and
-  call.getReceiverType().hasQualifiedName(
-    "org.springframework.security.config.annotation.web.configurers",
-    "CsrfConfigurer<HttpSecurity>"
-  )
+  call
+      .getReceiverType()
+      .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
+        "CsrfConfigurer<HttpSecurity>")
 select call, "CSRF vulnerability due to protection being disabled."
