Merge pull request github#16628 from mbaluda/main

atorralba · web-flow · commit 2d3d49f95701 · 2024-05-31T10:31:28.000+02:00
Disable csrf for ServerHttpSecurity
diff --git a/java/ql/lib/semmle/code/java/security/SpringCsrfProtection.qll b/java/ql/lib/semmle/code/java/security/SpringCsrfProtection.qll
@@ -17,4 +17,18 @@ predicate disablesSpringCsrfProtection(MethodCall call) {
       .getReferencedCallable()
       .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
         "AbstractHttpConfigurer", "disable")
+  or
+  call.getMethod().hasName("disable") and
+  call.getReceiverType()
+      .hasQualifiedName("org.springframework.security.config.web.server",
+        "ServerHttpSecurity$CsrfSpec")
+  or
+  call.getMethod()
+      .hasQualifiedName("org.springframework.security.config.web.server", "ServerHttpSecurity",
+        "csrf") and
+  call.getArgument(0)
+      .(MemberRefExpr)
+      .getReferencedCallable()
+      .hasQualifiedName("org.springframework.security.config.web.server",
+        "ServerHttpSecurity$CsrfSpec", "disable")
 }
diff --git a/java/ql/src/change-notes/2024-05-30-disabled-csrf-query.md b/java/ql/src/change-notes/2024-05-30-disabled-csrf-query.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/spring-disabled-csrf-protection` detects disabling CSRF via `ServerHttpSecurity$CsrfSpec::disable`.
diff --git a/java/ql/test/query-tests/security/CWE-352/SpringCsrfProtectionTest.java b/java/ql/test/query-tests/security/CWE-352/SpringCsrfProtectionTest.java
@@ -1,10 +1,15 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
 
 public class SpringCsrfProtectionTest {
-    protected void test(HttpSecurity http) throws Exception {
+    protected void test(HttpSecurity http, final ServerHttpSecurity httpSecurity) throws Exception {
         http.csrf(csrf -> csrf.disable()); // $ hasSpringCsrfProtectionDisabled
         http.csrf().disable(); // $ hasSpringCsrfProtectionDisabled
         http.csrf(AbstractHttpConfigurer::disable); // $ hasSpringCsrfProtectionDisabled
+
+        httpSecurity.csrf(csrf -> csrf.disable()); // $ hasSpringCsrfProtectionDisabled
+        httpSecurity.csrf().disable(); // $ hasSpringCsrfProtectionDisabled
+        httpSecurity.csrf(ServerHttpSecurity.CsrfSpec::disable); // $ hasSpringCsrfProtectionDisabled
     }
-}
+}
diff --git a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/web/server/ServerHttpSecurity.java b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/web/server/ServerHttpSecurity.java

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `java/spring-disabled-csrf-protection` detects disabling CSRF via `ServerHttpSecurity$CsrfSpec::disable`.