1
1
/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */
2
2
3
3
import java
4
-
5
- /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
6
- class TypeHttpSecurity extends Class {
7
- TypeHttpSecurity ( ) {
8
- this .hasQualifiedName ( "org.springframework.security.config.annotation.web.builders" ,
9
- "HttpSecurity" )
10
- }
11
- }
12
-
13
- /**
14
- * The class
15
- * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`.
16
- */
17
- class TypeAuthorizedUrl extends Class {
18
- TypeAuthorizedUrl ( ) {
19
- this .hasQualifiedName ( "org.springframework.security.config.annotation.web.configurers" ,
20
- "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>" )
21
- }
22
- }
4
+ private import semmle.code.java.frameworks.spring.SpringSecurity
5
+ private import semmle.code.java.frameworks.spring.SpringBoot
23
6
24
7
/**
25
- * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`.
26
- */
27
- class TypeAbstractRequestMatcherRegistry extends Class {
28
- TypeAbstractRequestMatcherRegistry ( ) {
29
- this .hasQualifiedName ( "org.springframework.security.config.annotation.web" ,
30
- "AbstractRequestMatcherRegistry<AuthorizedUrl<>>" )
31
- }
32
- }
33
-
34
- /**
35
- * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`.
36
- */
37
- class TypeEndpointRequest extends Class {
38
- TypeEndpointRequest ( ) {
39
- this .hasQualifiedName ( "org.springframework.boot.actuate.autoconfigure.security.servlet" ,
40
- "EndpointRequest" )
41
- }
42
- }
43
-
44
- /** A call to `EndpointRequest.toAnyEndpoint` method. */
45
- class ToAnyEndpointCall extends MethodCall {
46
- ToAnyEndpointCall ( ) {
47
- this .getMethod ( ) .hasName ( "toAnyEndpoint" ) and
48
- this .getMethod ( ) .getDeclaringType ( ) instanceof TypeEndpointRequest
49
- }
50
- }
51
-
52
- /**
53
- * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`.
8
+ * A call to `HttpSecurity.requestMatcher` method with argument
9
+ * `RequestMatcher.toAnyEndpoint()`.
54
10
*/
55
- class RequestMatcherCall extends MethodCall {
11
+ private class RequestMatcherCall extends MethodCall {
56
12
RequestMatcherCall ( ) {
57
13
this .getMethod ( ) .hasName ( "requestMatcher" ) and
58
14
this .getMethod ( ) .getDeclaringType ( ) instanceof TypeHttpSecurity and
@@ -64,94 +20,70 @@ class RequestMatcherCall extends MethodCall {
64
20
* A call to `HttpSecurity.requestMatchers` method with lambda argument
65
21
* `RequestMatcher.toAnyEndpoint()`.
66
22
*/
67
- class RequestMatchersCall extends MethodCall {
23
+ private class RequestMatchersCall extends MethodCall {
68
24
RequestMatchersCall ( ) {
69
25
this .getMethod ( ) .hasName ( "requestMatchers" ) and
70
26
this .getMethod ( ) .getDeclaringType ( ) instanceof TypeHttpSecurity and
71
27
this .getArgument ( 0 ) .( LambdaExpr ) .getExprBody ( ) instanceof ToAnyEndpointCall
72
28
}
73
29
}
74
30
75
- /** A call to `HttpSecurity.authorizeRequests` method. */
76
- class AuthorizeRequestsCall extends MethodCall {
77
- AuthorizeRequestsCall ( ) {
78
- this .getMethod ( ) .hasName ( "authorizeRequests" ) and
79
- this .getMethod ( ) .getDeclaringType ( ) instanceof TypeHttpSecurity
80
- }
81
- }
82
-
83
- /** A call to `AuthorizedUrl.permitAll` method. */
84
- class PermitAllCall extends MethodCall {
85
- PermitAllCall ( ) {
86
- this .getMethod ( ) .hasName ( "permitAll" ) and
87
- this .getMethod ( ) .getDeclaringType ( ) instanceof TypeAuthorizedUrl
88
- }
89
-
90
- /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */
91
- predicate permitsSpringBootActuators ( ) {
92
- exists ( AuthorizeRequestsCall authorizeRequestsCall |
93
- // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
94
- authorizeRequestsCall .getQualifier ( ) instanceof RequestMatcherCall
95
- or
96
- // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
97
- authorizeRequestsCall .getQualifier ( ) instanceof RequestMatchersCall
98
- |
99
- // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
100
- // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
101
- authorizeRequestsCall .getArgument ( 0 ) .( LambdaExpr ) .getExprBody ( ) = this and
102
- (
103
- this .getQualifier ( ) instanceof AnyRequestCall or
104
- this .getQualifier ( ) instanceof RegistryRequestMatchersCall
105
- )
106
- or
107
- // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
108
- // [...].authorizeRequests().anyRequest().permitAll()
109
- authorizeRequestsCall .getNumArgument ( ) = 0 and
110
- exists ( RegistryRequestMatchersCall registryRequestMatchersCall |
111
- registryRequestMatchersCall .getQualifier ( ) = authorizeRequestsCall and
112
- this .getQualifier ( ) = registryRequestMatchersCall
113
- )
114
- or
115
- exists ( AnyRequestCall anyRequestCall |
116
- anyRequestCall .getQualifier ( ) = authorizeRequestsCall and
117
- this .getQualifier ( ) = anyRequestCall
118
- )
119
- )
120
- or
121
- exists ( AuthorizeRequestsCall authorizeRequestsCall |
122
- // http.authorizeRequests([...]).[...]
123
- authorizeRequestsCall .getQualifier ( ) instanceof VarAccess
124
- |
125
- // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
126
- authorizeRequestsCall .getArgument ( 0 ) .( LambdaExpr ) .getExprBody ( ) = this and
127
- this .getQualifier ( ) instanceof RegistryRequestMatchersCall
128
- or
129
- // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
130
- authorizeRequestsCall .getNumArgument ( ) = 0 and
131
- exists ( RegistryRequestMatchersCall registryRequestMatchersCall |
132
- registryRequestMatchersCall .getQualifier ( ) = authorizeRequestsCall and
133
- this .getQualifier ( ) = registryRequestMatchersCall
134
- )
135
- )
136
- }
137
- }
138
-
139
- /** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */
140
- class AnyRequestCall extends MethodCall {
141
- AnyRequestCall ( ) {
142
- this .getMethod ( ) .hasName ( "anyRequest" ) and
143
- this .getMethod ( ) .getDeclaringType ( ) instanceof TypeAbstractRequestMatcherRegistry
144
- }
145
- }
146
-
147
31
/**
148
32
* A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument
149
33
* `RequestMatcher.toAnyEndpoint()`.
150
34
*/
151
- class RegistryRequestMatchersCall extends MethodCall {
35
+ private class RegistryRequestMatchersCall extends MethodCall {
152
36
RegistryRequestMatchersCall ( ) {
153
37
this .getMethod ( ) .hasName ( "requestMatchers" ) and
154
38
this .getMethod ( ) .getDeclaringType ( ) instanceof TypeAbstractRequestMatcherRegistry and
155
39
this .getAnArgument ( ) instanceof ToAnyEndpointCall
156
40
}
157
41
}
42
+
43
+ /** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */
44
+ predicate permitsSpringBootActuators ( PermitAllCall permitAllCall ) {
45
+ exists ( AuthorizeRequestsCall authorizeRequestsCall |
46
+ // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
47
+ authorizeRequestsCall .getQualifier ( ) instanceof RequestMatcherCall
48
+ or
49
+ // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
50
+ authorizeRequestsCall .getQualifier ( ) instanceof RequestMatchersCall
51
+ |
52
+ // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
53
+ // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
54
+ authorizeRequestsCall .getArgument ( 0 ) .( LambdaExpr ) .getExprBody ( ) = permitAllCall and
55
+ (
56
+ permitAllCall .getQualifier ( ) instanceof AnyRequestCall or
57
+ permitAllCall .getQualifier ( ) instanceof RegistryRequestMatchersCall
58
+ )
59
+ or
60
+ // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
61
+ // [...].authorizeRequests().anyRequest().permitAll()
62
+ authorizeRequestsCall .getNumArgument ( ) = 0 and
63
+ exists ( RegistryRequestMatchersCall registryRequestMatchersCall |
64
+ registryRequestMatchersCall .getQualifier ( ) = authorizeRequestsCall and
65
+ permitAllCall .getQualifier ( ) = registryRequestMatchersCall
66
+ )
67
+ or
68
+ exists ( AnyRequestCall anyRequestCall |
69
+ anyRequestCall .getQualifier ( ) = authorizeRequestsCall and
70
+ permitAllCall .getQualifier ( ) = anyRequestCall
71
+ )
72
+ )
73
+ or
74
+ exists ( AuthorizeRequestsCall authorizeRequestsCall |
75
+ // http.authorizeRequests([...]).[...]
76
+ authorizeRequestsCall .getQualifier ( ) instanceof VarAccess
77
+ |
78
+ // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
79
+ authorizeRequestsCall .getArgument ( 0 ) .( LambdaExpr ) .getExprBody ( ) = permitAllCall and
80
+ permitAllCall .getQualifier ( ) instanceof RegistryRequestMatchersCall
81
+ or
82
+ // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
83
+ authorizeRequestsCall .getNumArgument ( ) = 0 and
84
+ exists ( RegistryRequestMatchersCall registryRequestMatchersCall |
85
+ registryRequestMatchersCall .getQualifier ( ) = authorizeRequestsCall and
86
+ permitAllCall .getQualifier ( ) = registryRequestMatchersCall
87
+ )
88
+ )
89
+ }
0 commit comments