Skip to content

Commit 0c69253

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Java: add qhelp
1 parent b3b7817 commit 0c69253

File tree

3 files changed

+53
-0
lines changed

3 files changed

+53
-0
lines changed

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
2+
<qhelp>
3+
4+
<overview>
5+
<p>When you set up a web server to receive a request from a client without any mechanism
6+
for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
7+
trick a client into making an unintended request to the web server that will be treated as
8+
an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
9+
result in exposure of data or unintended code execution.</p>
10+
</overview>
11+
12+
<recommendation>
13+
<p>When handling requests, make sure any requests that change application state are protected from
14+
Cross Site Request Forgery (CSRF). Some application frameworks, such as Spring, provide default CSRF
15+
protection for HTTP request types that may change application state, such as POST. Other HTTP request
16+
types, such as GET, should not be used for actions that change the state of the application, since these
17+
request types are not default-protected from CSRF by the framework.</p>
18+
</recommendation>
19+
20+
<example>
21+
<p>The following example shows a Spring request handler using a GET request for a state-changing action.
22+
Since a GET request does not have default CSRF protection in Spring, this type of request should
23+
not be used when modifying application state. Instead use one of Spring's default-protected request
24+
types, such as POST.</p>
25+
26+
<sample src="CsrfUnprotectedRequestTypeBad.java" />
27+
28+
<sample src="CsrfUnprotectedRequestTypeGood.java" />
29+
</example>
30+
31+
<references>
32+
<li>
33+
OWASP:
34+
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
35+
</li>
36+
<li>
37+
Spring Security Reference:
38+
<a href="https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html">
39+
Cross Site Request Forgery (CSRF)
40+
</a>.
41+
</li>
42+
</references>
43+
</qhelp>

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeBad.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
// BAD - a GET request should not be used for a state-changing action like transfer
2+
@RequestMapping(value="transfer", method=RequestMethod.GET)
3+
public boolean transfer(HttpServletRequest request, HttpServletResponse response){
4+
return doTransfer(request, response);
5+
}

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeGood.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
// GOOD - use a POST request for a state-changing action
2+
@RequestMapping(value="transfer", method=RequestMethod.POST)
3+
public boolean transfer(HttpServletRequest request, HttpServletResponse response){
4+
return doTransfer(request, response);
5+
}

0 commit comments

Comments
 (0)