|
11 | 11 | * external/cwe/cwe-016 |
12 | 12 | */ |
13 | 13 |
|
14 | | -/* |
15 | | - * Note this query requires properties files to be indexed before it can produce results. |
16 | | - * If creating your own database with the CodeQL CLI, you should run |
17 | | - * `codeql database index-files --language=properties ...` |
18 | | - * If using lgtm.com, you should add `properties_files: true` to the index block of your |
19 | | - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) |
20 | | - */ |
21 | | - |
22 | 14 | import java |
23 | | -import semmle.code.configfiles.ConfigFiles |
24 | 15 | import semmle.code.xml.MavenPom |
25 | | - |
26 | | -/** The parent node of the `org.springframework.boot` group. */ |
27 | | -class SpringBootParent extends Parent { |
28 | | - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } |
29 | | -} |
30 | | - |
31 | | -/** Class of Spring Boot dependencies. */ |
32 | | -class SpringBootPom extends Pom { |
33 | | - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } |
34 | | - |
35 | | - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ |
36 | | - predicate isSpringBootActuatorUsed() { |
37 | | - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" |
38 | | - } |
39 | | - |
40 | | - /** |
41 | | - * Holds if the Spring Boot Security module is used in the project, which brings in other security |
42 | | - * related libraries. |
43 | | - */ |
44 | | - predicate isSpringBootSecurityUsed() { |
45 | | - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" |
46 | | - } |
47 | | -} |
48 | | - |
49 | | -/** The properties file `application.properties`. */ |
50 | | -class ApplicationProperties extends ConfigPair { |
51 | | - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } |
52 | | -} |
53 | | - |
54 | | -/** The configuration property `management.security.enabled`. */ |
55 | | -class ManagementSecurityConfig extends ApplicationProperties { |
56 | | - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } |
57 | | - |
58 | | - /** Gets the whitespace-trimmed value of this property. */ |
59 | | - string getValue() { result = this.getValueElement().getValue().trim() } |
60 | | - |
61 | | - /** Holds if `management.security.enabled` is set to `false`. */ |
62 | | - predicate hasSecurityDisabled() { this.getValue() = "false" } |
63 | | - |
64 | | - /** Holds if `management.security.enabled` is set to `true`. */ |
65 | | - predicate hasSecurityEnabled() { this.getValue() = "true" } |
66 | | -} |
67 | | - |
68 | | -/** The configuration property `management.endpoints.web.exposure.include`. */ |
69 | | -class ManagementEndPointInclude extends ApplicationProperties { |
70 | | - ManagementEndPointInclude() { |
71 | | - this.getNameElement().getName() = "management.endpoints.web.exposure.include" |
72 | | - } |
73 | | - |
74 | | - /** Gets the whitespace-trimmed value of this property. */ |
75 | | - string getValue() { result = this.getValueElement().getValue().trim() } |
76 | | -} |
77 | | - |
78 | | -/** |
79 | | - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom |
80 | | - * has a vulnerable configuration of Spring Boot Actuator management endpoints. |
81 | | - */ |
82 | | -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { |
83 | | - pom.isSpringBootActuatorUsed() and |
84 | | - not pom.isSpringBootSecurityUsed() and |
85 | | - ap.getFile() |
86 | | - .getParentContainer() |
87 | | - .getAbsolutePath() |
88 | | - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory |
89 | | - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | |
90 | | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 |
91 | | - not exists(ManagementSecurityConfig me | |
92 | | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() |
93 | | - ) |
94 | | - or |
95 | | - springBootVersion.matches("1.5%") and // version 1.5 |
96 | | - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) |
97 | | - or |
98 | | - springBootVersion.matches("2.%") and //version 2.x |
99 | | - exists(ManagementEndPointInclude mi | |
100 | | - mi.getFile() = ap.getFile() and |
101 | | - ( |
102 | | - mi.getValue() = "*" // all endpoints are enabled |
103 | | - or |
104 | | - mi.getValue() |
105 | | - .matches([ |
106 | | - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", |
107 | | - "%beans%", "%sessions%" |
108 | | - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring |
109 | | - ) |
110 | | - ) |
111 | | - ) |
112 | | -} |
| 16 | +import semmle.code.java.security.SpringBootActuatorsConfigQuery |
113 | 17 |
|
114 | 18 | from SpringBootPom pom, ApplicationProperties ap, Dependency d |
115 | 19 | where |
|
0 commit comments