Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s)

Author: Jami Cogswell

java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll

@@ -15,12 +15,17 @@ class TypeHttpSecurity extends Class {
 
 /**
  * The class
- * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`.
+ * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer$AuthorizedUrl`
+ * or the class
+ * `org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$AuthorizedUrl`.
  */
 class TypeAuthorizedUrl extends Class {
   TypeAuthorizedUrl() {
     this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
-      "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>")
+      [
+        "ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>",
+        "AuthorizeHttpRequestsConfigurer<HttpSecurity>$AuthorizedUrl<>"
+      ])
   }
 }
 
@@ -34,14 +39,32 @@ class TypeAbstractRequestMatcherRegistry extends Class {
   }
 }
 
-/** A call to `HttpSecurity.authorizeRequests` method. */
+/**
+ * A call to `HttpSecurity.authorizeRequests` method.
+ *
+ * Note: this API is deprecated and scheduled for removal
+ * in Spring Security 7.0.
+ */
 class AuthorizeRequestsCall extends MethodCall {
   AuthorizeRequestsCall() {
     this.getMethod().hasName("authorizeRequests") and
     this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
   }
 }
 
+/**
+ * A call to `HttpSecurity.authorizeHttpRequests` method.
+ *
+ * Note: the no-argument version of this API is deprecated
+ * and scheduled for removal in Spring Security 7.0.
+ */
+class AuthorizeHttpRequestsCall extends MethodCall {
+  AuthorizeHttpRequestsCall() {
+    this.getMethod().hasName("authorizeHttpRequests") and
+    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity
+  }
+}
+
 /** A call to `AuthorizedUrl.permitAll` method. */
 class PermitAllCall extends MethodCall {
   PermitAllCall() {

java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll

@@ -6,7 +6,7 @@ private import semmle.code.java.frameworks.spring.SpringBoot
 
 /**
  * A call to `HttpSecurity.requestMatcher` method with argument
- * `RequestMatcher.toAnyEndpoint()`.
+ * `EndpointRequest.toAnyEndpoint()`.
  */
 private class RequestMatcherCall extends MethodCall {
   RequestMatcherCall() {
@@ -18,7 +18,7 @@ private class RequestMatcherCall extends MethodCall {
 
 /**
  * A call to `HttpSecurity.requestMatchers` method with lambda argument
- * `RequestMatcher.toAnyEndpoint()`.
+ * `EndpointRequest.toAnyEndpoint()`.
  */
 private class RequestMatchersCall extends MethodCall {
   RequestMatchersCall() {
@@ -40,49 +40,106 @@ private class RegistryRequestMatchersCall extends MethodCall {
   }
 }
 
+/**
+ * A call to `HttpSecurity.securityMatcher` method with argument
+ * `EndpointRequest.toAnyEndpoint()`.
+ */
+private class SecurityMatcherCall extends MethodCall {
+  SecurityMatcherCall() {
+    this.getMethod().hasName("securityMatcher") and
+    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
+    this.getArgument(0) instanceof ToAnyEndpointCall
+  }
+}
+
+/**
+ * A call to `HttpSecurity.securityMatchers` method with lambda argument
+ * `EndpointRequest.toAnyEndpoint()`.
+ */
+private class SecurityMatchersCall extends MethodCall {
+  SecurityMatchersCall() {
+    this.getMethod().hasName("securityMatchers") and
+    this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and
+    this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall
+  }
+}
+
+/**
+ * A call to a method that authorizes requests, e.g. `authorizeRequests` or
+ * `authorizeHttpRequests`.
+ */
+private class AuthorizeCall extends MethodCall {
+  AuthorizeCall() {
+    this instanceof AuthorizeRequestsCall or
+    this instanceof AuthorizeHttpRequestsCall
+  }
+}
+
+/**
+ * A call to a matcher method with argument
+ * `EndpointRequest.toAnyEndpoint()`.
+ */
+private class MatcherCall extends MethodCall {
+  MatcherCall() {
+    this instanceof RequestMatcherCall or
+    this instanceof SecurityMatcherCall
+  }
+}
+
+/**
+ * A call to a matchers method with argument
+ * `EndpointRequest.toAnyEndpoint()`.
+ */
+private class MatchersCall extends MethodCall {
+  MatchersCall() {
+    this instanceof RequestMatchersCall or
+    this instanceof SecurityMatchersCall
+  }
+}
+
 /** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */
 predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
-  exists(AuthorizeRequestsCall authorizeRequestsCall |
+  exists(AuthorizeCall authorizeCall |
     // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
-    authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall
+    authorizeCall.getQualifier() instanceof MatcherCall
     or
     // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
-    authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall
+    authorizeCall.getQualifier() instanceof MatchersCall
   |
     // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
     // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-    authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
     (
       permitAllCall.getQualifier() instanceof AnyRequestCall or
       permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
     )
     or
     // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
     // [...].authorizeRequests().anyRequest().permitAll()
-    authorizeRequestsCall.getNumArgument() = 0 and
+    authorizeCall.getNumArgument() = 0 and
     exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-      registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
+      registryRequestMatchersCall.getQualifier() = authorizeCall and
       permitAllCall.getQualifier() = registryRequestMatchersCall
     )
     or
     exists(AnyRequestCall anyRequestCall |
-      anyRequestCall.getQualifier() = authorizeRequestsCall and
+      anyRequestCall.getQualifier() = authorizeCall and
       permitAllCall.getQualifier() = anyRequestCall
     )
   )
   or
-  exists(AuthorizeRequestsCall authorizeRequestsCall |
+  exists(AuthorizeCall authorizeCall |
     // http.authorizeRequests([...]).[...]
-    authorizeRequestsCall.getQualifier() instanceof VarAccess
+    authorizeCall.getQualifier() instanceof VarAccess
   |
     // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
-    authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
+    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
     permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
     or
     // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
-    authorizeRequestsCall.getNumArgument() = 0 and
+    authorizeCall.getNumArgument() = 0 and
     exists(RegistryRequestMatchersCall registryRequestMatchersCall |
-      registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and
+      registryRequestMatchersCall.getQualifier() = authorizeCall and
       permitAllCall.getQualifier() = registryRequestMatchersCall
     )
   )

java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java

@@ -2,6 +2,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 
 public class SpringBootActuatorsTest {
+  // Spring security version 5.2.3 used `authorizeRequests` and `requestMatcher(s)`
   protected void configure(HttpSecurity http) throws Exception {
     http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
   }
@@ -101,4 +102,166 @@ protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception {
   protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception {
     http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
   }
+
+  // Spring security version 5.5.0 introduced `authorizeHttpRequests`
+  protected void configure_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure2_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure3_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure4_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure5_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure6_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure7_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configureOk3_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests().anyRequest().permitAll();
+  }
+
+  protected void configureOk4_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
+  }
+
+  protected void configureOkSafeEndpoints1_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
+  }
+
+  protected void configureOkSafeEndpoints2_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
+  }
+
+  protected void configureOkSafeEndpoints3_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
+  }
+
+  protected void configureOkSafeEndpoints4_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
+  }
+
+  protected void configureOkSafeEndpoints5_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
+  }
+
+  protected void configureOkSafeEndpoints6_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
+  }
+
+  protected void configureOkSafeEndpoints7_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
+  }
+
+  protected void configureOkNoPermitAll1_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
+  }
+
+  protected void configureOkNoPermitAll2_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkNoPermitAll3_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkNoPermitAll4_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
+  }
+
+  protected void configureOkNoPermitAll5_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkNoPermitAll6_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
+  }
+
+  protected void configureOkNoPermitAll7_authorizeHttpRequests(HttpSecurity http) throws Exception {
+    http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
+  }
+
+  // Spring security version 5.8.0 introduced `securityMatcher(s)`
+  protected void configure_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure2_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure3_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure4_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configure7_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator
+  }
+
+  protected void configureOk1_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOk2_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkSafeEndpoints1_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll());
+  }
+
+  protected void configureOkSafeEndpoints2_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
+  }
+
+  protected void configureOkSafeEndpoints3_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
+  }
+
+  protected void configureOkSafeEndpoints4_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
+  }
+
+  protected void configureOkSafeEndpoints7_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll();
+  }
+
+  protected void configureOkNoPermitAll1_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest());
+  }
+
+  protected void configureOkNoPermitAll2_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkNoPermitAll3_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
+  }
+
+  protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
+  }
+
+  protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception {
+    http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
+  }
 }