From eeac7e322ad0d450f8dac1f0dad9195e4d3b8c33 Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Thu, 11 Mar 2021 13:46:32 +0000 Subject: [PATCH 1/5] Query to detect insecure configuration of Spring Boot Actuator --- .../InsecureSpringActuatorConfig.qhelp | 47 ++++++++ .../CWE-016/InsecureSpringActuatorConfig.ql | 112 ++++++++++++++++++ .../CWE/CWE-016/application.properties | 22 ++++ .../Security/CWE/CWE-016/pom_bad.xml | 50 ++++++++ .../Security/CWE/CWE-016/pom_good.xml | 50 ++++++++ .../InsecureSpringActuatorConfig.expected | 1 + .../InsecureSpringActuatorConfig.qlref | 1 + .../security/CWE-016/SensitiveInfo.java | 13 ++ .../security/CWE-016/application.properties | 14 +++ .../query-tests/security/CWE-016/pom.xml | 47 ++++++++ 10 files changed, 357 insertions(+) create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/application.properties create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/application.properties create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/pom.xml diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp new file mode 100644 index 000000000000..e201156728a4 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp @@ -0,0 +1,47 @@ + + + +

Spring Boot is a popular framework that facilitates the development of stand-alone applications +and micro services. Spring Boot Actuator helps to expose production-ready support features against +Spring Boot applications.

+ +

Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. +Exposing unprotected actuator endpoints through configuration files can lead to information disclosure +or even remote code execution vulnerability.

+ +

Rather than programmatically permitting endpoint requests or enforcing access control, frequently +developers simply leave management endpoints publicly accessible in the application configuration file +application.properties without enforcing access control through Spring Security.

+ + + +

Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce +security checks on management endpoints using Spring Security. Otherwise accessing management endpoints +on a different HTTP port other than the port that the web application is listening on also helps to +improve the security.

+ + + +

The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, +no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, +security is enforced and only endpoints requiring exposure are exposed.

+ + + + + + +
  • + Spring Boot documentation: + Spring Boot Actuator: Production-ready Features +
    • +
  • + VERACODE Blog: + Exploiting Spring Boot Actuators +
    • +
  • + HackerOne Report: + Spring Actuator endpoints publicly available, leading to account takeover +
    • +     +     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql new file mode 100644 index 000000000000..2dc11e8e38ef --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -0,0 +1,112 @@ +/** + * @name Insecure Spring Boot Actuator Configuration + * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural security enforcement leads to information leak or even remote code execution. + * @kind problem + * @id java/insecure-spring-actuator-config + * @tags security + * external/cwe-016 + */ + +import java +import semmle.code.configfiles.ConfigFiles +import semmle.code.java.security.SensitiveActions +import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** Class of Spring Boot dependencies. */ +class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ + predicate isSpringBootActuatorUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" + } + + /** Holds if the Spring Boot Security module is used in the project, which brings in other security related libraries. */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** The properties file `application.properties`. */ +class ApplicationProperties extends ConfigPair { + ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +} + +/** The configuration property `management.security.enabled`. */ +class ManagementSecurityEnabled extends ApplicationProperties { + ManagementSecurityEnabled() { this.getNameElement().getName() = "management.security.enabled" } + + string getManagementSecurityEnabled() { result = this.getValueElement().getValue() } + + predicate hasSecurityDisabled() { getManagementSecurityEnabled() = "false" } + + predicate hasSecurityEnabled() { getManagementSecurityEnabled() = "true" } +} + +/** The configuration property `management.endpoints.web.exposure.include`. */ +class ManagementEndPointInclude extends ApplicationProperties { + ManagementEndPointInclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.include" + } + + string getManagementEndPointInclude() { result = this.getValueElement().getValue().trim() } +} + +/** The configuration property `management.endpoints.web.exposure.exclude`. */ +class ManagementEndPointExclude extends ApplicationProperties { + ManagementEndPointExclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.exclude" + } + + string getManagementEndPointExclude() { result = this.getValueElement().getValue().trim() } +} + +/** Holds if an application handles sensitive information judging by its variable names. */ +predicate isProtectedApp() { + exists(VarAccess va | va.getVariable().getName().regexpMatch(getCommonSensitiveInfoRegex())) +} + +from SpringBootPom pom, ApplicationProperties ap, Dependency d +where + isProtectedApp() and + pom.isSpringBootActuatorUsed() and + not pom.isSpringBootSecurityUsed() and + ap.getFile() + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string s | s = pom.getParentElement().getVersionString() | + s.regexpMatch("1\\.[0|1|2|3|4].*") and + not exists(ManagementSecurityEnabled me | + me.hasSecurityEnabled() and me.getFile() = ap.getFile() + ) + or + s.regexpMatch("1\\.5.*") and + exists(ManagementSecurityEnabled me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + or + s.regexpMatch("2.*") and + exists(ManagementEndPointInclude mi | + mi.getFile() = ap.getFile() and + ( + mi.getManagementEndPointInclude() = "*" // all endpoints are enabled + or + mi.getManagementEndPointInclude() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", + "%beans%", "%sessions%" + ]) // all endpoints apart from '/health' and '/info' are considered sensitive + ) and + not exists(ManagementEndPointExclude mx | + mx.getFile() = ap.getFile() and + mx.getManagementEndPointExclude() = mi.getManagementEndPointInclude() + ) + ) + ) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" +select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties new file mode 100644 index 000000000000..aa489435a12b --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties @@ -0,0 +1,22 @@ +#management.endpoints.web.base-path=/admin + + +#### BAD: All management endpoints are accessible #### +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=* + + +#### GOOD: All management endpoints have access control #### +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true + +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true + +# safe configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml new file mode 100644 index 000000000000..9dd5c9c188b4 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml new file mode 100644 index 000000000000..89f577f21e59 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + org.springframework.boot + spring-boot-starter-security + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected new file mode 100644 index 000000000000..486302939857 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected @@ -0,0 +1 @@ +| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref new file mode 100644 index 000000000000..9cd12d5e4fb1 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java new file mode 100644 index 000000000000..a3ff69c1b817 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java @@ -0,0 +1,13 @@ +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RequestMapping; + +@Controller +public class SensitiveInfo { + @RequestMapping + public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { + if (!username.equals("") && password.equals("")) { + //Blank processing + } + } +} \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties new file mode 100644 index 000000000000..95e704f3a1a5 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties @@ -0,0 +1,14 @@ +#management.endpoints.web.base-path=/admin + +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=* +management.endpoints.web.exposure.exclude=beans + +management.endpoint.shutdown.enabled=true + +management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml new file mode 100644 index 000000000000..a9d5fa920c84 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From c8b1bc3a89b6f0c6b006449f38f4966899f0bc3d Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Thu, 11 Mar 2021 21:41:34 +0000 Subject: [PATCH 2/5] Enhance the query --- .../CWE-016/InsecureSpringActuatorConfig.ql | 58 +++++++------------ .../CWE/CWE-016/application.properties | 4 +- .../security/CWE-016/application.properties | 2 +- 3 files changed, 24 insertions(+), 40 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql index 2dc11e8e38ef..06ba0d8a288e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -1,6 +1,7 @@ /** * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural security enforcement leads to information leak or even remote code execution. + * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural + * security enforcement leads to information leak or even remote code execution. * @kind problem * @id java/insecure-spring-actuator-config * @tags security @@ -9,7 +10,6 @@ import java import semmle.code.configfiles.ConfigFiles -import semmle.code.java.security.SensitiveActions import semmle.code.xml.MavenPom /** The parent node of the `org.springframework.boot` group. */ @@ -26,7 +26,10 @@ class SpringBootPom extends Pom { this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" } - /** Holds if the Spring Boot Security module is used in the project, which brings in other security related libraries. */ + /** + * Holds if the Spring Boot Security module is used in the project, which brings in other security + * related libraries. + */ predicate isSpringBootSecurityUsed() { this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" } @@ -38,14 +41,14 @@ class ApplicationProperties extends ConfigPair { } /** The configuration property `management.security.enabled`. */ -class ManagementSecurityEnabled extends ApplicationProperties { - ManagementSecurityEnabled() { this.getNameElement().getName() = "management.security.enabled" } +class ManagementSecurityConfig extends ApplicationProperties { + ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - string getManagementSecurityEnabled() { result = this.getValueElement().getValue() } + string getValue() { result = this.getValueElement().getValue().trim() } - predicate hasSecurityDisabled() { getManagementSecurityEnabled() = "false" } + predicate hasSecurityDisabled() { getValue() = "false" } - predicate hasSecurityEnabled() { getManagementSecurityEnabled() = "true" } + predicate hasSecurityEnabled() { getValue() = "true" } } /** The configuration property `management.endpoints.web.exposure.include`. */ @@ -54,56 +57,37 @@ class ManagementEndPointInclude extends ApplicationProperties { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } - string getManagementEndPointInclude() { result = this.getValueElement().getValue().trim() } -} - -/** The configuration property `management.endpoints.web.exposure.exclude`. */ -class ManagementEndPointExclude extends ApplicationProperties { - ManagementEndPointExclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.exclude" - } - - string getManagementEndPointExclude() { result = this.getValueElement().getValue().trim() } -} - -/** Holds if an application handles sensitive information judging by its variable names. */ -predicate isProtectedApp() { - exists(VarAccess va | va.getVariable().getName().regexpMatch(getCommonSensitiveInfoRegex())) + string getValue() { result = this.getValueElement().getValue().trim() } } from SpringBootPom pom, ApplicationProperties ap, Dependency d where - isProtectedApp() and pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and ap.getFile() .getParentContainer() .getAbsolutePath() .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string s | s = pom.getParentElement().getVersionString() | - s.regexpMatch("1\\.[0|1|2|3|4].*") and - not exists(ManagementSecurityEnabled me | + exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = ap.getFile() ) or - s.regexpMatch("1\\.5.*") and - exists(ManagementSecurityEnabled me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) or - s.regexpMatch("2.*") and + springBootVersion.matches("2.%") and //version 2.x exists(ManagementEndPointInclude mi | mi.getFile() = ap.getFile() and ( - mi.getManagementEndPointInclude() = "*" // all endpoints are enabled + mi.getValue() = "*" // all endpoints are enabled or - mi.getManagementEndPointInclude() + mi.getValue() .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" - ]) // all endpoints apart from '/health' and '/info' are considered sensitive - ) and - not exists(ManagementEndPointExclude mx | - mx.getFile() = ap.getFile() and - mx.getManagementEndPointExclude() = mi.getManagementEndPointInclude() + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring ) ) ) and diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties index aa489435a12b..4f5defdd948e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties +++ b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties @@ -7,7 +7,7 @@ # vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators management.security.enabled=false -# vulnerable configuration (spring boot 2+): exposes health and info only by default +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything management.endpoints.web.exposure.include=* @@ -18,5 +18,5 @@ management.security.enabled=true # safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators management.security.enabled=true -# safe configuration (spring boot 2+): exposes health and info only by default +# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties index 95e704f3a1a5..797906a3ca3b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties +++ b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties @@ -5,7 +5,7 @@ # vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators management.security.enabled=false -# vulnerable configuration (spring boot 2+): exposes health and info only by default +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything management.endpoints.web.exposure.include=* management.endpoints.web.exposure.exclude=beans From 1a2e341b7c767fc4b6e21e9dc38d25110aa8b50e Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Fri, 12 Mar 2021 12:19:37 +0000 Subject: [PATCH 3/5] Refactor the business logic of the query into a separate predicate --- .../CWE/CWE-016/InsecureSpringActuatorConfig.ql | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql index 06ba0d8a288e..3acd22e767a3 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -60,8 +60,11 @@ class ManagementEndPointInclude extends ApplicationProperties { string getValue() { result = this.getValueElement().getValue().trim() } } -from SpringBootPom pom, ApplicationProperties ap, Dependency d -where +/** + * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom + * has a vulnerable configuration of Spring Boot Actuator management endpoints. + */ +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and ap.getFile() @@ -90,7 +93,12 @@ where ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring ) ) - ) and + ) +} + +from SpringBootPom pom, ApplicationProperties ap, Dependency d +where + hasConfidentialEndPointExposed(pom, ap) and d = pom.getADependency() and d.getArtifact().getValue() = "spring-boot-starter-actuator" select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." From a72b1340eb6bb3bdbea9cabd6bdd942a9365b848 Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Fri, 26 Mar 2021 16:51:43 +0000 Subject: [PATCH 4/5] Add a comment on how to run the query --- .../Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql index 3acd22e767a3..772ac6cd2091 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -8,6 +8,14 @@ * external/cwe-016 */ +/* + * Note this query requires properties files to be indexed before it can produce results. + * If creating your own database with the CodeQL CLI, you should run + * `codeql database index-files --language=properties ...` + * If using lgtm.com, you should add `properties_files: true` to the index block of your + * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) + */ + import java import semmle.code.configfiles.ConfigFiles import semmle.code.xml.MavenPom From bb23866cec93bda0bf1e132facd78344fb7a7fe4 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 12 Apr 2021 16:33:01 +0100 Subject: [PATCH 5/5] Add missing doc comments --- .../Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql index 772ac6cd2091..e6965959d13f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -52,10 +52,13 @@ class ApplicationProperties extends ConfigPair { class ManagementSecurityConfig extends ApplicationProperties { ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } + /** Gets the whitespace-trimmed value of this property. */ string getValue() { result = this.getValueElement().getValue().trim() } + /** Holds if `management.security.enabled` is set to `false`. */ predicate hasSecurityDisabled() { getValue() = "false" } + /** Holds if `management.security.enabled` is set to `true`. */ predicate hasSecurityEnabled() { getValue() = "true" } } @@ -65,6 +68,7 @@ class ManagementEndPointInclude extends ApplicationProperties { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } + /** Gets the whitespace-trimmed value of this property. */ string getValue() { result = this.getValueElement().getValue().trim() } }