Update SpringCsrfProtection.qll

Author: mbaluda

java/ql/lib/semmle/code/java/security/SpringCsrfProtection.qll

@@ -5,15 +5,9 @@ import java
 /** Holds if `call` disables CSRF protection in Spring. */
 predicate disablesSpringCsrfProtection(MethodCall call) {
   call.getMethod().hasName("disable") and
-  (
-    call.getReceiverType()
-        .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
-          "CsrfConfigurer<HttpSecurity>")
-    or
-    call.getReceiverType()
-        .hasQualifiedName("org.springframework.security.config.web.server",
-          "ServerHttpSecurity$CsrfSpec")
-  )
+  call.getReceiverType()
+      .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
+        "CsrfConfigurer<HttpSecurity>")
   or
   call.getMethod()
       .hasQualifiedName("org.springframework.security.config.annotation.web.builders",
@@ -23,4 +17,18 @@ predicate disablesSpringCsrfProtection(MethodCall call) {
       .getReferencedCallable()
       .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
         "AbstractHttpConfigurer", "disable")
+  or
+  call.getMethod().hasName("disable") and
+  call.getReceiverType()
+      .hasQualifiedName("org.springframework.security.config.web.server",
+        "ServerHttpSecurity$CsrfSpec")
+  or
+  call.getMethod()
+      .hasQualifiedName("org.springframework.security.config.web.server", "ServerHttpSecurity",
+        "csrf") and
+  call.getArgument(0)
+      .(MemberRefExpr)
+      .getReferencedCallable()
+      .hasQualifiedName("org.springframework.security.config.web.server",
+        "ServerHttpSecurity$CsrfSpec", "disable")
 }