Merge pull request #2586 from ggolawski/spring_disable_csrf

aschackmull · web-flow · commit 816a8d1f9ece · 2020-01-27T11:32:39.000+01:00
Add check for disabled CSRF protection in Spring
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.java b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.java
@@ -0,0 +1,17 @@
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@EnableWebSecurity
+@Configuration
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http
+      .csrf(csrf ->
+        // BAD - CSRF protection shouldn't be disabled
+        csrf.disable() 
+      );
+  }
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>When you set up a web server to receive a request from a client without any mechanism
+for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
+trick a client into making an unintended request to the web server that will be treated as
+an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can 
+result in exposure of data or unintended code execution.</p>
+</overview>
+
+<recommendation>
+<p>When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
+is to use CSRF protection for any request that could be processed by a browser client by normal
+users.</p>
+</recommendation>
+
+<example>
+<p>The following example shows the Spring Java configuration with CSRF protection disabled.
+This type of configuration should only be used if you are creating a service that is used only
+by non-browser clients.</p>
+
+<sample src="SpringCSRFProtection.java" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
+</li>
+<li>
+Spring Security Reference:
+<a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf">
+  Cross Site Request Forgery (CSRF) for Servlet Environments
+</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Disabled Spring CSRF protection
+ * @description Disabling CSRF protection makes the application vulnerable to
+ *              a Cross-Site Request Forgery (CSRF) attack.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-disabled-csrf-protection
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import java
+
+from MethodAccess call
+where
+  call.getMethod().hasName("disable") and
+  call
+      .getReceiverType()
+      .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
+        "CsrfConfigurer<HttpSecurity>")
+select call, "CSRF vulnerability due to protection being disabled."
