Disable csrf for ServerHttpSecurity

Author: mbaluda

java/ql/lib/semmle/code/java/security/SpringCsrfProtection.qll

@@ -5,9 +5,15 @@ import java
 /** Holds if `call` disables CSRF protection in Spring. */
 predicate disablesSpringCsrfProtection(MethodCall call) {
   call.getMethod().hasName("disable") and
-  call.getReceiverType()
-      .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
-        "CsrfConfigurer<HttpSecurity>")
+  (
+    call.getReceiverType()
+        .hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
+          "CsrfConfigurer<HttpSecurity>")
+    or
+    call.getReceiverType()
+        .hasQualifiedName("org.springframework.security.config.web.server",
+          "ServerHttpSecurity$CsrfSpec")
+  )
   or
   call.getMethod()
       .hasQualifiedName("org.springframework.security.config.annotation.web.builders",

java/ql/test/query-tests/security/CWE-352/SpringCsrfProtectionTest.java

@@ -1,10 +1,15 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
 
 public class SpringCsrfProtectionTest {
-    protected void test(HttpSecurity http) throws Exception {
+    protected void test(HttpSecurity http, final ServerHttpSecurity httpSecurity) throws Exception {
         http.csrf(csrf -> csrf.disable()); // $ hasSpringCsrfProtectionDisabled
         http.csrf().disable(); // $ hasSpringCsrfProtectionDisabled
         http.csrf(AbstractHttpConfigurer::disable); // $ hasSpringCsrfProtectionDisabled
+
+        httpSecurity.csrf(csrf -> csrf.disable()); // $ hasSpringCsrfProtectionDisabled
+        httpSecurity.csrf().disable(); // $ hasSpringCsrfProtectionDisabled
+        httpSecurity.csrf(ServerHttpSecurity.CsrfSpec::disable); // $ hasSpringCsrfProtectionDisabled
     }
-}
+}