Java: Promote Spring Boot Actuators query from experimental#18793
Java: Promote Spring Boot Actuators query from experimental#18793jcogs33 merged 17 commits intogithub:mainfrom
Conversation
|
QHelp previews: java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelpExposed Spring Boot actuatorsSpring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints can lead to information disclosure or even to remote code execution. RecommendationSince actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. Actuators are secured by default when using Spring Security without a custom configuration. If you wish to define a custom security configuration, consider only allowing users with certain roles to access these endpoints. ExampleIn the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided. In the second example, only users with @Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
http.securityMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
return http.build();
}
}
@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
http.securityMatcher(EndpointRequest.toAnyEndpoint());
http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
return http.build();
}
}References |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…tpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s)
jcogs33
force-pushed
the
jcogs33/java/spring-boot-actuators-promo
branch
from
9f3980e to
c2e859c
Compare
jcogs33
changed the title
java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll
Outdated
Show resolved
Hide resolved
egregius313
left a comment
egregius313
left a comment
There was a problem hiding this comment.
Overall LGTM. But if we are adding public classes to semmle.code.java.frameworks.spring it might make sense to prefix the names with Spring.
|
Thanks for the review @egregius313! I've updated the class names in 746f022 (and 82062e2). |
jcogs33
added
the
ready-for-doc-review
egregius313
left a comment
egregius313
left a comment
There was a problem hiding this comment.
Everything LGTM now.
|
I'll review this on behalf of Docs, probably Monday now. |
mchammer01
left a comment
mchammer01
left a comment
There was a problem hiding this comment.
LGTM from a Docs perspective ✨
Added a couple of suggestions to improve readability.
java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md
Outdated
Show resolved
Hide resolved
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
Thanks for the review @mchammer01! I've applied your suggestions. |
4 participants
This PR promotes
java/spring-boot-exposed-actuatorsfrom experimental (original PRs: #2901 and #3506).Changes from the experimental query:
HttpSecurity.securityMatcher(s),HttpSecurity.authorizeHttpRequests, andAuthorizeHttpRequestsConfigurer, which were added in more recent Spring versions.springframework-5.3.8stubs directory should technically be renamed tospringframework-5.8.x. I'll do that in follow-up PR to avoid a large number of renamed stub files and updatedoptionsfiles on this PR.