Java: Add source code for experimental queries as is.

Author: michaelnebel

java/src/CWE-016/InsecureSpringActuatorConfig.qhelp

@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
+and micro services. Spring Boot Actuator helps to expose production-ready support features against 
+Spring Boot applications.</p>
+
+    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. 
+Exposing unprotected actuator endpoints through configuration files can lead to information disclosure 
+or even remote code execution vulnerability.</p>
+
+    <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
+developers simply leave management endpoints publicly accessible in the application configuration file 
+<code>application.properties</code> without enforcing access control through Spring Security.</p>
+  </overview>
+
+  <recommendation>
+    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce 
+security checks on management endpoints using Spring Security. Otherwise accessing management endpoints 
+on a different HTTP port other than the port that the web application is listening on also helps to 
+improve the security.</p>
+  </recommendation>
+
+  <example>
+    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, 
+no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, 
+security is enforced and only endpoints requiring exposure are exposed.</p>
+    <sample src="pom_good.xml" />
+    <sample src="pom_bad.xml" />
+    <sample src="application.properties" />
+  </example>
+
+  <references>
+    <li>
+      Spring Boot documentation:
+      <a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a>
+    </li>
+    <li>
+      VERACODE Blog:
+      <a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+    </li>
+    <li>
+      HackerOne Report:
+      <a href="https://hackerone.com/reports/862589">Spring Actuator endpoints publicly available, leading to account takeover</a>
+    </li>
+  </references>
+</qhelp>

java/src/CWE-016/InsecureSpringActuatorConfig.ql

@@ -0,0 +1,119 @@
+/**
+ * @name Insecure Spring Boot Actuator Configuration
+ * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural
+ *              security enforcement leads to information leak or even remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/insecure-spring-actuator-config
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-016
+ */
+
+/*
+ * Note this query requires properties files to be indexed before it can produce results.
+ * If creating your own database with the CodeQL CLI, you should run
+ * `codeql database index-files --language=properties ...`
+ * If using lgtm.com, you should add `properties_files: true` to the index block of your
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ */
+
+import java
+import semmle.code.configfiles.ConfigFiles
+import semmle.code.xml.MavenPom
+
+/** The parent node of the `org.springframework.boot` group. */
+class SpringBootParent extends Parent {
+  SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
+}
+
+/** Class of Spring Boot dependencies. */
+class SpringBootPom extends Pom {
+  SpringBootPom() { this.getParentElement() instanceof SpringBootParent }
+
+  /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */
+  predicate isSpringBootActuatorUsed() {
+    this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator"
+  }
+
+  /**
+   * Holds if the Spring Boot Security module is used in the project, which brings in other security
+   * related libraries.
+   */
+  predicate isSpringBootSecurityUsed() {
+    this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
+  }
+}
+
+/** The properties file `application.properties`. */
+class ApplicationProperties extends ConfigPair {
+  ApplicationProperties() { this.getFile().getBaseName() = "application.properties" }
+}
+
+/** The configuration property `management.security.enabled`. */
+class ManagementSecurityConfig extends ApplicationProperties {
+  ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }
+
+  /** Gets the whitespace-trimmed value of this property. */
+  string getValue() { result = this.getValueElement().getValue().trim() }
+
+  /** Holds if `management.security.enabled` is set to `false`. */
+  predicate hasSecurityDisabled() { this.getValue() = "false" }
+
+  /** Holds if `management.security.enabled` is set to `true`. */
+  predicate hasSecurityEnabled() { this.getValue() = "true" }
+}
+
+/** The configuration property `management.endpoints.web.exposure.include`. */
+class ManagementEndPointInclude extends ApplicationProperties {
+  ManagementEndPointInclude() {
+    this.getNameElement().getName() = "management.endpoints.web.exposure.include"
+  }
+
+  /** Gets the whitespace-trimmed value of this property. */
+  string getValue() { result = this.getValueElement().getValue().trim() }
+}
+
+/**
+ * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
+ * has a vulnerable configuration of Spring Boot Actuator management endpoints.
+ */
+predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) {
+  pom.isSpringBootActuatorUsed() and
+  not pom.isSpringBootSecurityUsed() and
+  ap.getFile()
+      .getParentContainer()
+      .getAbsolutePath()
+      .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
+  exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() |
+    springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
+    not exists(ManagementSecurityConfig me |
+      me.hasSecurityEnabled() and me.getFile() = ap.getFile()
+    )
+    or
+    springBootVersion.matches("1.5%") and // version 1.5
+    exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
+    or
+    springBootVersion.matches("2.%") and //version 2.x
+    exists(ManagementEndPointInclude mi |
+      mi.getFile() = ap.getFile() and
+      (
+        mi.getValue() = "*" // all endpoints are enabled
+        or
+        mi.getValue()
+            .matches([
+                "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
+                "%beans%", "%sessions%"
+              ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
+      )
+    )
+  )
+}
+
+from SpringBootPom pom, ApplicationProperties ap, Dependency d
+where
+  hasConfidentialEndPointExposed(pom, ap) and
+  d = pom.getADependency() and
+  d.getArtifact().getValue() = "spring-boot-starter-actuator"
+select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."

java/src/CWE-016/SpringBootActuators.java

@@ -0,0 +1,22 @@
+@Configuration(proxyBeanMethods = false)
+public class SpringBootActuators extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
+        requests.anyRequest().permitAll());
+  }
+}
+
+@Configuration(proxyBeanMethods = false)
+public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
+        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
+    http.httpBasic();
+  }
+}

java/src/CWE-016/SpringBootActuators.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Spring Boot includes a number of additional features called actuators that let you monitor
+and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP
+can, however, lead to information disclosure or even to remote code execution vulnerability.</p>
+</overview>
+
+<recommendation>
+<p>Since actuator endpoints may contain sensitive information, careful consideration should be
+given about when to expose them. You should take care to secure exposed HTTP endpoints in the same
+way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by
+default using Spring Security’s content-negotiation strategy. If you wish to configure custom
+security for HTTP endpoints, for example, only allow users with a certain role to access them,
+Spring Boot provides some convenient <code>RequestMatcher</code> objects that can be used in
+combination with Spring Security.</p>
+</recommendation>
+
+<example>
+<p>In the first example, the custom security configuration allows unauthenticated access to all
+actuator endpoints. This may lead to sensitive information disclosure and should be avoided.</p>
+<p>In the second example, only users with <code>ENDPOINT_ADMIN</code> role are allowed to access
+the actuator endpoints.</p>
+
+<sample src="SpringBootActuators.java" />
+</example>
+
+<references>
+<li>
+Spring Boot documentation:
+<a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Actuators</a>.
+</li>
+<li>
+<a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+</li>
+</references>
+</qhelp>

java/src/CWE-016/SpringBootActuators.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Exposed Spring Boot actuators
+ * @description Exposing Spring Boot actuators may lead to internal application's information leak
+ *              or even to remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-boot-exposed-actuators
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-16
+ */
+
+import java
+import SpringBootActuators
+
+from PermitAllCall permitAllCall
+where permitAllCall.permitsSpringBootActuators()
+select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."