Java: edit qhelp

Jami Cogswell · Jami Cogswell · commit a8bb798a92a0 · 2025-02-24T16:43:19.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java
@@ -1,22 +1,25 @@
 @Configuration(proxyBeanMethods = false)
-public class SpringBootActuators extends WebSecurityConfigurerAdapter {
+public class CustomSecurityConfiguration {
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().permitAll());
-  }
+		http.securityMatcher(EndpointRequest.toAnyEndpoint());
+		http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
+		return http.build();
+	}
+
 }
 
 @Configuration(proxyBeanMethods = false)
-public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
+public class CustomSecurityConfiguration {
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
-    http.httpBasic();
-  }
+		http.securityMatcher(EndpointRequest.toAnyEndpoint());
+		http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+		return http.build();
+	}
+
 }
diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp
@@ -3,24 +3,24 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Spring Boot includes a number of additional features called actuators that let you monitor
-and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP
-can, however, lead to information disclosure or even to remote code execution vulnerability.</p>
+<p>Spring Boot includes features called actuators that let you monitor and interact with your
+web application. Exposing unprotected actuator endpoints can lead to information disclosure or
+even to remote code execution.</p>
 </overview>
 
 <recommendation>
-<p>Since actuator endpoints may contain sensitive information, careful consideration should be
-given about when to expose them. You should take care to secure exposed HTTP endpoints in the same
-way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by
-default using Spring Security’s content-negotiation strategy. If you wish to configure custom
-security for HTTP endpoints, for example, only allow users with a certain role to access them,
-Spring Boot provides some convenient <code>RequestMatcher</code> objects that can be used in
-combination with Spring Security.</p>
+<p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them,
+and secure them as you would any sensitive URL. Actuators are secured by default when using Spring
+Security without a custom configuration. If you wish to define a custom security configuration,
+consider only allowing users with certain roles access to the endpoints.
+</p>
+
 </recommendation>
 
 <example>
 <p>In the first example, the custom security configuration allows unauthenticated access to all
 actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
+
 <p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
 the actuator endpoints.</p>
 
@@ -29,11 +29,8 @@ the actuator endpoints.</p>
 
 <references>
 <li>
-Spring Boot documentation:
-<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Actuators</a>.
-</li>
-<li>
-<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+Spring Boot Reference Documentation:
+<a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>.
 </li>
 </references>
 </qhelp>
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java
@@ -275,7 +275,7 @@ public void securityFilterChain(HttpSecurity http) throws Exception {
   // QHelp Good example
   protected void configureQhelpGood(HttpSecurity http) throws Exception {
     // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
-    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
-        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+    http.securityMatcher(EndpointRequest.toAnyEndpoint());
+    http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,7 @@ public void securityFilterChain(HttpSecurity http) throws Exception {`
`275`	`275`	`// QHelp Good example`
`276`	`276`	`protected void configureQhelpGood(HttpSecurity http) throws Exception {`
`277`	`277`	`// GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints`
`278`		`- http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->`
`279`		`- requests.anyRequest().hasRole("ENDPOINT_ADMIN"));`
	`278`	`+ http.securityMatcher(EndpointRequest.toAnyEndpoint());`
	`279`	`+ http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));`
`280`	`280`	`}`
`281`	`281`	`}`