Add check for disabled CSRF protection in Spring

ggolawski · ggolawski · commit ab49397bb808 · 2020-01-03T21:52:50.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.java b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.java
@@ -0,0 +1,17 @@
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@EnableWebSecurity
+@Configuration
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    http
+      .csrf(csrf ->
+        // BAD - CSRF protection shouldn't be disabled
+        csrf.disable() 
+      );
+  }
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>When a web server is designed to receive a request from a client without any mechanism 
+for verifying that it was intentionally sent, then it might be possible for an attacker 
+to trick a client into making an unintentional request to the web server which will be treated 
+as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can 
+result in exposure of data or unintended code execution.</p>
+</overview>
+
+<recommendation>
+<p>Cross-Site Request Forgery (CSRF) protection is enabled by default in Spring with Java 
+configuration. It's recommended to not disable this.</p>
+</recommendation>
+
+<example>
+<p>The following example shows the Spring Java configuration with CSRF protection disabled.</p>
+
+<sample src="SpringCSRFProtection.java" />
+</example>
+
+<references>
+<li>
+CWE:
+<a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352: Cross-Site Request Forgery (CSRF)</a>.
+</li>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
+</li>
+<li>
+Spring Security Reference:
+<a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf">
+  Cross Site Request Forgery (CSRF) for Servlet Environments
+</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Disabled Spring CSRF protection
+ * @description Disabling CSRF protection makes the application vulnerable to
+ *              Cross-Site Request Forgery (CSRF) attack.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-disabled-csrf-protection
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import java
+
+from MethodAccess call, Method method
+where
+  call.getMethod() = method and
+  method.hasName("disable") and
+  method.getDeclaringType().getQualifiedName().regexpMatch(
+    "org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<.*>,.*>"
+  )
+select call, "CSRF vulnerability due to protection being disabled."
