Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Java: Promote Spring Boot Actuators query from experimental #18793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Mar 11, 2025
Merged

Java: Promote Spring Boot Actuators query from experimental #18793

merged 17 commits into from
Mar 11, 2025

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Feb 16, 2025
edited
Loading

This PR promotes java/spring-boot-exposed-actuators from experimental (original PRs: #2901 and #3506).

Changes from the experimental query:

  • Updated the query to handle HttpSecurity.securityMatcher(s), HttpSecurity.authorizeHttpRequests, and AuthorizeHttpRequestsConfigurer, which were added in more recent Spring versions.
    • As a result, the springframework-5.3.8 stubs directory should technically be renamed to springframework-5.8.x. I'll do that in follow-up PR to avoid a large number of renamed stub files and updated options files on this PR.
  • Placed the query under CWE-200 instead of CWE-016. CWE-016 is a category, and my understanding from our metadata style guide is that we should use CWEs that are a base/class weakness, not a category. Let me know if you disagree.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 16, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp

Exposed Spring Boot actuators

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. Actuators are secured by default when using Spring Security without a custom configuration. If you wish to define a custom security configuration, consider only allowing users with certain roles to access these endpoints.

Example

In the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

In the second example, only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints.

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
        return http.build();
    }

}

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
        return http.build();
    }

}

References

  • Spring Boot Reference Documentation: Endpoints.
  • Common Weakness Enumeration: CWE-200.

@jcogs33 jcogs33 force-pushed the jcogs33/java/spring-boot-actuators-promo branch from 9f3980e to c2e859c Compare February 24, 2025 23:35
@jcogs33 jcogs33 changed the title [DRAFT] Java: Promote Spring Boot Actuators query from experimental Java: Promote Spring Boot Actuators query from experimental Feb 25, 2025
@jcogs33 jcogs33 marked this pull request as ready for review February 25, 2025 13:12
@jcogs33 jcogs33 requested a review from a team as a code owner February 25, 2025 13:12
egregius313
egregius313 reviewed Mar 4, 2025
View reviewed changes
Copy link
Contributor

@egregius313 egregius313 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. But if we are adding public classes to semmle.code.java.frameworks.spring it might make sense to prefix the names with Spring.

@jcogs33
Copy link
Contributor Author

jcogs33 commented Mar 4, 2025
edited
Loading

Thanks for the review @egregius313! I've updated the class names in 746f022 (and 82062e2).

@jcogs33 jcogs33 added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Mar 4, 2025
egregius313
egregius313 previously approved these changes Mar 4, 2025
View reviewed changes
Copy link
Contributor

@egregius313 egregius313 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything LGTM now.

@mchammer01 mchammer01 self-requested a review March 7, 2025 18:20
@mchammer01
Copy link
Contributor

I'll review this on behalf of Docs, probably Monday now.

mchammer01
mchammer01 previously approved these changes Mar 10, 2025
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from a Docs perspective ✨
Added a couple of suggestions to improve readability.

@jcogs33
Copy link
Contributor Author

jcogs33 commented Mar 10, 2025

Thanks for the review @mchammer01! I've applied your suggestions.

smowton
smowton approved these changes Mar 11, 2025
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proxying Ed's approval

@jcogs33 jcogs33 merged commit ea9b046 into github:main Mar 11, 2025
17 checks passed
@jcogs33 jcogs33 deleted the jcogs33/java/spring-boot-actuators-promo branch March 11, 2025 18:42
@jcogs33 jcogs33 mentioned this pull request Mar 11, 2025
Merged
@jcogs33 jcogs33 mentioned this pull request Apr 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mchammer01 mchammer01 mchammer01 left review comments

@smowton smowton smowton approved these changes

@egregius313 egregius313 egregius313 left review comments

Assignees
No one assigned
Labels
documentation Java ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jcogs33 @mchammer01 @smowton @egregius313