Java: handle example in Spring docs

Jami Cogswell · Jami Cogswell · commit 9e51b014d24a · 2025-02-24T18:27:43.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll
@@ -142,5 +142,14 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
       registryRequestMatchersCall.getQualifier() = authorizeCall and
       permitAllCall.getQualifier() = registryRequestMatchersCall
     )
+    or
+    exists(Variable v, MatcherCall matcherCall |
+      // http.securityMatcher(EndpointRequest.toAnyEndpoint());
+      // http.authorizeRequests([...].permitAll())
+      v.getAnAccess() = authorizeCall.getQualifier() and
+      v.getAnAccess() = matcherCall.getQualifier() and
+      authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+      permitAllCall.getQualifier() instanceof AnyRequestCall
+    )
   )
 }
diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java
@@ -264,4 +264,11 @@ protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throw
   protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {
     http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
   }
+
+  // Spring doc example
+  // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security
+  public void securityFilterChain(HttpSecurity http) throws Exception {
+		http.securityMatcher(EndpointRequest.toAnyEndpoint());
+		http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -142,5 +142,14 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {`
`142`	`142`	`registryRequestMatchersCall.getQualifier() = authorizeCall and`
`143`	`143`	`permitAllCall.getQualifier() = registryRequestMatchersCall`
`144`	`144`	`)`
	`145`	`+ or`
	`146`	`+ exists(Variable v, MatcherCall matcherCall \|`
	`147`	`+ // http.securityMatcher(EndpointRequest.toAnyEndpoint());`
	`148`	`+ // http.authorizeRequests([...].permitAll())`
	`149`	`+ v.getAnAccess() = authorizeCall.getQualifier() and`
	`150`	`+ v.getAnAccess() = matcherCall.getQualifier() and`
	`151`	`+ authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and`
	`152`	`+ permitAllCall.getQualifier() instanceof AnyRequestCall`
	`153`	`+ )`
`145`	`154`	`)`
`146`	`155`	`}`
Original file line number	Diff line number	Diff line change
`@@ -264,4 +264,11 @@ protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throw`
`264`	`264`	`protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {`
`265`	`265`	`http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();`
`266`	`266`	`}`
	`267`	`+`
	`268`	`+ // Spring doc example`
	`269`	`+ // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security`
	`270`	`+ public void securityFilterChain(HttpSecurity http) throws Exception {`
	`271`	`+ http.securityMatcher(EndpointRequest.toAnyEndpoint());`
	`272`	`+ http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator`
	`273`	`+ }`
`267`	`274`	`}`