Add check for disabled CSRF protection in Spring

ggolawski · ggolawski · commit c5a974788b68 · 2020-01-21T21:54:36.000+01:00
Fix the help according to review comments.
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp
@@ -2,30 +2,29 @@
 <qhelp>
 
 <overview>
-<p>When a web server is designed to receive a request from a client without any mechanism 
-for verifying that it was intentionally sent, then it might be possible for an attacker 
-to trick a client into making an unintentional request to the web server which will be treated 
-as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can 
+<p>When you set up a web server to receive a request from a client without any mechanism
+for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
+trick a client into making an unintended request to the web server that will be treated as
+an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can 
 result in exposure of data or unintended code execution.</p>
 </overview>
 
 <recommendation>
-<p>Cross-Site Request Forgery (CSRF) protection is enabled by default in Spring with Java 
-configuration. It's recommended to not disable this.</p>
+<p>Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
+is to use CSRF protection for any request that could be processed by a browser client by normal
+users.</p>
 </recommendation>
 
 <example>
-<p>The following example shows the Spring Java configuration with CSRF protection disabled.</p>
+<p>The following example shows the Spring Java configuration with CSRF protection disabled.
+This type of configuration should only be used if you are creating a service that is used only
+by non-browser clients.</p>
 
 <sample src="SpringCSRFProtection.java" />
 </example>
 
 <references>
 <li>
-CWE:
-<a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352: Cross-Site Request Forgery (CSRF)</a>.
-</li>
-<li>
 OWASP:
 <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
 </li>
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -1,7 +1,7 @@
 /**
  * @name Disabled Spring CSRF protection
  * @description Disabling CSRF protection makes the application vulnerable to
- *              Cross-Site Request Forgery (CSRF) attack.
+ *              a Cross-Site Request Forgery (CSRF) attack.
  * @kind problem
  * @problem.severity error
  * @precision high
