Java: add class for Spring request mapping methods that are not default-protected from CSRF

Author: Jami Cogswell

java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll

@@ -0,0 +1,29 @@
+/** Provides classes and predicates to reason about CSRF vulnerabilities due to use of unprotected HTTP request types. */
+
+import java
+private import semmle.code.java.frameworks.spring.SpringController
+
+/** A method that is not protected from CSRF by default. */
+abstract class CsrfUnprotectedMethod extends Method { }
+
+/**
+ * A Spring request mapping method that is not protected from CSRF by default.
+ *
+ * https://docs.spring.io/spring-security/reference/features/exploits/csrf.html#csrf-protection-read-only
+ */
+private class SpringCsrfUnprotectedMethod extends CsrfUnprotectedMethod instanceof SpringRequestMappingMethod
+{
+  SpringCsrfUnprotectedMethod() {
+    this.hasAnnotation("org.springframework.web.bind.annotation", "GetMapping")
+    or
+    this.hasAnnotation("org.springframework.web.bind.annotation", "RequestMapping") and
+    (
+      this.getAnAnnotation().getAnEnumConstantArrayValue("method").getName() =
+        ["GET", "HEAD", "OPTIONS", "TRACE"]
+      or
+      // If no request type is specified with `@RequestMapping`, then all request types
+      // are possible, so we treat this as unsafe; example: @RequestMapping(value = "test").
+      not exists(this.getAnAnnotation().getAnArrayValue("method"))
+    )
+  }
+}