From a39cb401777d693be6c3cb63220251f27f6c5174 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 9 Jul 2025 16:43:27 -0400 Subject: [PATCH 01/21] Java: copy out of experimental --- .../InsecureSpringActuatorConfig.qhelp | 47 +++++++ .../InsecureSpringActuatorConfig.ql | 121 ++++++++++++++++++ .../application.properties | 22 ++++ .../InsecureSpringActuatorConfig/pom_bad.xml | 50 ++++++++ .../InsecureSpringActuatorConfig/pom_good.xml | 50 ++++++++ .../InsecureSpringActuatorConfig.expected | 1 + .../InsecureSpringActuatorConfig.qlref | 1 + .../SensitiveInfo.java | 13 ++ .../application.properties | 14 ++ .../InsecureSpringActuatorConfig/options | 1 + .../InsecureSpringActuatorConfig/pom.xml | 47 +++++++ 11 files changed, 367 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp new file mode 100644 index 000000000000..7e31b43ba7a1 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp @@ -0,0 +1,47 @@ + + + +

Spring Boot is a popular framework that facilitates the development of stand-alone applications +and micro services. Spring Boot Actuator helps to expose production-ready support features against +Spring Boot applications.

+ +

Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. +Exposing unprotected actuator endpoints through configuration files can lead to information disclosure +or even remote code execution vulnerability.

+ +

Rather than programmatically permitting endpoint requests or enforcing access control, frequently +developers simply leave management endpoints publicly accessible in the application configuration file +application.properties without enforcing access control through Spring Security.

+ + + +

Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce +security checks on management endpoints using Spring Security. Otherwise accessing management endpoints +on a different HTTP port other than the port that the web application is listening on also helps to +improve the security.

+ + + +

The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, +no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, +security is enforced and only endpoints requiring exposure are exposed.

+ + + + + + +
  • + Spring Boot documentation: + Spring Boot Actuator: Production-ready Features +
    • +
  • + VERACODE Blog: + Exploiting Spring Boot Actuators +
    • +
  • + HackerOne Report: + Spring Actuator endpoints publicly available, leading to account takeover +
    • +     +     diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql new file mode 100644 index 000000000000..b21aa82e8baf --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -0,0 +1,121 @@ +/** + * @name Insecure Spring Boot Actuator Configuration + * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural + * security enforcement leads to information leak or even remote code execution. + * @kind problem + * @problem.severity error + * @precision high + * @id java/insecure-spring-actuator-config + * @tags security + * experimental + * external/cwe/cwe-016 + */ + +/* + * Note this query requires properties files to be indexed before it can produce results. + * If creating your own database with the CodeQL CLI, you should run + * `codeql database index-files --language=properties ...` + * If using lgtm.com, you should add `properties_files: true` to the index block of your + * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) + */ + +import java +import semmle.code.configfiles.ConfigFiles +import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** Class of Spring Boot dependencies. */ +class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ + predicate isSpringBootActuatorUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" + } + + /** + * Holds if the Spring Boot Security module is used in the project, which brings in other security + * related libraries. + */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** The properties file `application.properties`. */ +class ApplicationProperties extends ConfigPair { + ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +} + +/** The configuration property `management.security.enabled`. */ +class ManagementSecurityConfig extends ApplicationProperties { + ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } + + /** Holds if `management.security.enabled` is set to `false`. */ + predicate hasSecurityDisabled() { this.getValue() = "false" } + + /** Holds if `management.security.enabled` is set to `true`. */ + predicate hasSecurityEnabled() { this.getValue() = "true" } +} + +/** The configuration property `management.endpoints.web.exposure.include`. */ +class ManagementEndPointInclude extends ApplicationProperties { + ManagementEndPointInclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.include" + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } +} + +/** + * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom + * has a vulnerable configuration of Spring Boot Actuator management endpoints. + */ +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { + pom.isSpringBootActuatorUsed() and + not pom.isSpringBootSecurityUsed() and + ap.getFile() + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | + me.hasSecurityEnabled() and me.getFile() = ap.getFile() + ) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = ap.getFile() and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", + "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) + ) + ) +} + +deprecated query predicate problems(Dependency d, string message) { + exists(SpringBootPom pom | + hasConfidentialEndPointExposed(pom, _) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" + ) and + message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +} diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties new file mode 100644 index 000000000000..441d752508c9 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties @@ -0,0 +1,22 @@ +#management.endpoints.web.base-path=/admin + + +#### BAD: All management endpoints are accessible #### +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* + + +#### GOOD: All management endpoints have access control #### +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true + +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true + +# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. +management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml new file mode 100644 index 000000000000..6bca2829ac43 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + + + org.springframework.boot + spring-boot-test + + + + diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml new file mode 100644 index 000000000000..03bc257f5bda --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + org.springframework.boot + spring-boot-starter-security + + + + org.springframework.boot + spring-boot-test + + + + diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected new file mode 100644 index 000000000000..486302939857 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -0,0 +1 @@ +| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref new file mode 100644 index 000000000000..ada54d34dc12 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java new file mode 100644 index 000000000000..a3ff69c1b817 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java @@ -0,0 +1,13 @@ +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RequestMapping; + +@Controller +public class SensitiveInfo { + @RequestMapping + public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { + if (!username.equals("") && password.equals("")) { + //Blank processing + } + } +} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties new file mode 100644 index 000000000000..797906a3ca3b --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties @@ -0,0 +1,14 @@ +#management.endpoints.web.base-path=/admin + +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* +management.endpoints.web.exposure.exclude=beans + +management.endpoint.shutdown.enabled=true + +management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options new file mode 100644 index 000000000000..2ce7a4743cd3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml new file mode 100644 index 000000000000..a9d5fa920c84 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 0dbddbdf0f5787d8ea92bc6f6132447a110b5b91 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 9 Jul 2025 16:46:30 -0400 Subject: [PATCH 02/21] Java: remove experimental files --- .../InsecureSpringActuatorConfig.qhelp | 47 ------- .../CWE-016/InsecureSpringActuatorConfig.ql | 121 ------------------ .../CWE/CWE-016/application.properties | 22 ---- .../Security/CWE/CWE-016/pom_bad.xml | 50 -------- .../Security/CWE/CWE-016/pom_good.xml | 50 -------- .../InsecureSpringActuatorConfig.expected | 1 - .../InsecureSpringActuatorConfig.qlref | 1 - .../security/CWE-016/SensitiveInfo.java | 13 -- .../security/CWE-016/application.properties | 14 -- .../query-tests/security/CWE-016/options | 1 - .../query-tests/security/CWE-016/pom.xml | 47 ------- 11 files changed, 367 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/application.properties delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/application.properties delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/options delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/pom.xml diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp deleted file mode 100644 index e201156728a4..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp +++ /dev/null @@ -1,47 +0,0 @@ - - - -

    Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

    - -

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

    - -

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

    -     - - -

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

    -     - - -

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

    - - - -     - - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators -
    • -
  • - HackerOne Report: - Spring Actuator endpoints publicly available, leading to account takeover -
    • -     -     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql deleted file mode 100644 index b21aa82e8baf..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ /dev/null @@ -1,121 +0,0 @@ -/** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id java/insecure-spring-actuator-config - * @tags security - * experimental - * external/cwe/cwe-016 - */ - -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - -import java -import semmle.code.configfiles.ConfigFiles -import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} - -deprecated query predicate problems(Dependency d, string message) { - exists(SpringBootPom pom | - hasConfidentialEndPointExposed(pom, _) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" - ) and - message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties deleted file mode 100644 index 4f5defdd948e..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml deleted file mode 100644 index 9dd5c9c188b4..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml deleted file mode 100644 index 89f577f21e59..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - org.springframework.boot - spring-boot-starter-security - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected deleted file mode 100644 index 486302939857..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected +++ /dev/null @@ -1 +0,0 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index 9cd12d5e4fb1..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java deleted file mode 100644 index a3ff69c1b817..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties deleted file mode 100644 index 797906a3ca3b..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/options b/java/ql/test/experimental/query-tests/security/CWE-016/options deleted file mode 100644 index 2ce7a4743cd3..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml deleted file mode 100644 index a9d5fa920c84..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file From 38260e76bfa271483123f330a644153b7ae5ef26 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 10 Jul 2025 10:07:05 -0400 Subject: [PATCH 03/21] Java: remove deprecation --- .../InsecureSpringActuatorConfig.ql | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index b21aa82e8baf..800fc6db5641 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -111,11 +111,9 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie ) } -deprecated query predicate problems(Dependency d, string message) { - exists(SpringBootPom pom | - hasConfidentialEndPointExposed(pom, _) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" - ) and - message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." -} +from SpringBootPom pom, ApplicationProperties ap, Dependency d +where + hasConfidentialEndPointExposed(pom, ap) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" +select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." From fc930d918463721587fdc02f1a494493e26a8487 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 10 Jul 2025 10:32:02 -0400 Subject: [PATCH 04/21] Java: update tests for non-experimental directory --- .../InsecureSpringActuatorConfig.qlref | 2 +- .../CWE-200/semmle/tests/InsecureSpringActuatorConfig/options | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref index ada54d34dc12..bf30c44df85a 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -1 +1 @@ -experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options index 2ce7a4743cd3..ab29fd4e46fa 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.8.x From ed8da5e151d29c127f0e099590af62ac6d310477 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 14 Jul 2025 11:59:29 -0400 Subject: [PATCH 05/21] Java: convert tests to inline expectations --- .../InsecureSpringActuatorConfig.qlref | 3 ++- .../CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref index bf30c44df85a..b826de8eed31 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +query: Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml index a9d5fa920c84..105309271f86 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml @@ -29,7 +29,7 @@ org.springframework.boot spring-boot-starter-actuator - + org.springframework.boot spring-boot-devtools From b479f5c8dcbfc7e0cce817833496e076b0a9d2c3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 14 Jul 2025 10:06:24 -0400 Subject: [PATCH 06/21] Java: fix integration tests --- .../java/query-suite/java-code-scanning.qls.expected | 1 + .../java/query-suite/java-security-and-quality.qls.expected | 1 + .../java/query-suite/java-security-extended.qls.expected | 1 + .../java/query-suite/not_included_in_qls.expected | 1 - 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index 3290e0d84b0e..90b5b7ca491b 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -26,6 +26,7 @@ ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected index f4317f8e2a5c..b203ea23a629 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected @@ -142,6 +142,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected index 209777cf4d98..c7dac907a962 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected @@ -45,6 +45,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql diff --git a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected index 1f58e51ad800..304c03873234 100644 --- a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected +++ b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected @@ -196,7 +196,6 @@ ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql ql/java/ql/src/definitions.ql -ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql From 1b90a30d458aec0aee191ae3a6acbccb0a6b0eab Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 11:13:02 -0400 Subject: [PATCH 07/21] Java: move code to .qll file --- .../SpringBootActuatorsConfigQuery.qll | 93 ++++++++++++++++++ .../InsecureSpringActuatorConfig.ql | 98 +------------------ 2 files changed, 94 insertions(+), 97 deletions(-) create mode 100644 java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll new file mode 100644 index 000000000000..5cf54f3436ce --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -0,0 +1,93 @@ +/** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */ + +import java +private import semmle.code.configfiles.ConfigFiles +private import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** Class of Spring Boot dependencies. */ +class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ + predicate isSpringBootActuatorUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" + } + + /** + * Holds if the Spring Boot Security module is used in the project, which brings in other security + * related libraries. + */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** The properties file `application.properties`. */ +class ApplicationProperties extends ConfigPair { + ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +} + +/** The configuration property `management.security.enabled`. */ +class ManagementSecurityConfig extends ApplicationProperties { + ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } + + /** Holds if `management.security.enabled` is set to `false`. */ + predicate hasSecurityDisabled() { this.getValue() = "false" } + + /** Holds if `management.security.enabled` is set to `true`. */ + predicate hasSecurityEnabled() { this.getValue() = "true" } +} + +/** The configuration property `management.endpoints.web.exposure.include`. */ +class ManagementEndPointInclude extends ApplicationProperties { + ManagementEndPointInclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.include" + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } +} + +/** + * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom + * has a vulnerable configuration of Spring Boot Actuator management endpoints. + */ +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { + pom.isSpringBootActuatorUsed() and + not pom.isSpringBootSecurityUsed() and + ap.getFile() + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | + me.hasSecurityEnabled() and me.getFile() = ap.getFile() + ) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = ap.getFile() and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", + "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) + ) + ) +} diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 800fc6db5641..66d9a52c2cfc 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -11,105 +11,9 @@ * external/cwe/cwe-016 */ -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - import java -import semmle.code.configfiles.ConfigFiles import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} +import semmle.code.java.security.SpringBootActuatorsConfigQuery from SpringBootPom pom, ApplicationProperties ap, Dependency d where From 3823186dc6dc53c87fdd143fbf6d7d95dbbe4e8e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 19:21:21 -0400 Subject: [PATCH 08/21] Java: split tests by versions splitting is required to properly test each scenario --- .../InsecureSpringActuatorConfig.expected | 7 ++- .../bad/default/application.properties | 1 + .../{ => Version1.4-/bad/default}/pom.xml | 2 +- .../bad/false/application.properties | 2 + .../Version1.4-/bad/false/pom.xml | 47 +++++++++++++++++++ .../Version1.4-/good/application.properties | 2 + .../Version1.4-/good/pom.xml | 47 +++++++++++++++++++ .../Version1.5/bad/application.properties | 2 + .../Version1.5/bad/pom.xml | 47 +++++++++++++++++++ .../Version1.5/good/application.properties | 2 + .../Version1.5/good/pom.xml | 47 +++++++++++++++++++ .../{ => Version2+}/application.properties | 0 .../Version2+/bad/application.properties | 7 +++ .../Version2+/bad/pom.xml | 47 +++++++++++++++++++ .../Version2+/good/application.properties | 2 + .../Version2+/good/pom.xml | 47 +++++++++++++++++++ 16 files changed, 307 insertions(+), 2 deletions(-) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{ => Version1.4-/bad/default}/pom.xml (97%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{ => Version2+}/application.properties (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index 486302939857..da7a570f9823 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1 +1,6 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +#select +| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +testFailures +| Version1.4-/bad/default/pom.xml:32:23:32:39 | $ Alert | Missing result: Alert | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties new file mode 100644 index 000000000000..a41bbc9fdca3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties @@ -0,0 +1 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml similarity index 97% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml index 105309271f86..83c7d2685f37 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml @@ -17,7 +17,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.8.RELEASE + 1.2.6.RELEASE diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties new file mode 100644 index 000000000000..621b859214cb --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml new file mode 100644 index 000000000000..83c7d2685f37 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties new file mode 100644 index 000000000000..6cadc4c756d1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml new file mode 100644 index 000000000000..452d4b69c354 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties new file mode 100644 index 000000000000..f1e8f6587d05 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml new file mode 100644 index 000000000000..aa1a4bcaf056 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties new file mode 100644 index 000000000000..bec45a22b82d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml new file mode 100644 index 000000000000..39b46bef7e48 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties new file mode 100644 index 000000000000..a2e73d7022c8 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties @@ -0,0 +1,7 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* +management.endpoints.web.exposure.exclude=beans + +management.endpoint.shutdown.enabled=true + +management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties new file mode 100644 index 000000000000..c14bf64b13b6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. +management.endpoints.web.exposure.include=beans,info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml new file mode 100644 index 000000000000..e65ebf04701a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 2bfc4b4ee207a23905eb9ce64bc84b735d83a77f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 19:50:04 -0400 Subject: [PATCH 09/21] Java: fix test case for version 1.4 Need the existence of an ApplicationProperties File, not an ApplicationProperties ConfigPair --- .../SpringBootActuatorsConfigQuery.qll | 65 ++++++++++--------- .../InsecureSpringActuatorConfig.ql | 4 +- .../InsecureSpringActuatorConfig.expected | 4 +- 3 files changed, 39 insertions(+), 34 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 5cf54f3436ce..241b64821e8c 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -28,12 +28,17 @@ class SpringBootPom extends Pom { } /** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +class ApplicationPropertiesFile extends File { + ApplicationPropertiesFile() { this.getBaseName() = "application.properties" } +} + +/** A name-value pair stored in an `application.properties` file. */ +class ApplicationPropertiesConfigPair extends ConfigPair { + ApplicationPropertiesConfigPair() { this.getFile() instanceof ApplicationPropertiesFile } } /** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { +class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } /** Gets the whitespace-trimmed value of this property. */ @@ -47,7 +52,7 @@ class ManagementSecurityConfig extends ApplicationProperties { } /** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { +class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { ManagementEndPointInclude() { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } @@ -60,33 +65,35 @@ class ManagementEndPointInclude extends ApplicationProperties { * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom * has a vulnerable configuration of Spring Boot Actuator management endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { +predicate hasConfidentialEndPointExposed(SpringBootPom pom) { pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + exists(ApplicationPropertiesFile apFile | + apFile + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | + springBootVersion = pom.getParentElement().getVersionString() + | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = apFile and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", + "%env%", "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) ) ) ) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 66d9a52c2cfc..89f3777f0c23 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,9 +15,9 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, ApplicationProperties ap, Dependency d +from SpringBootPom pom, Dependency d where - hasConfidentialEndPointExposed(pom, ap) and + hasConfidentialEndPointExposed(pom) and d = pom.getADependency() and d.getArtifact().getValue() = "spring-boot-starter-actuator" select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index da7a570f9823..d7043f403fb7 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,6 +1,4 @@ -#select +| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -testFailures -| Version1.4-/bad/default/pom.xml:32:23:32:39 | $ Alert | Missing result: Alert | From ae163a9f36c0a3d08f6c78404a438bfc7101cf96 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 20:02:30 -0400 Subject: [PATCH 10/21] Java: add overlay annotations --- .../code/java/security/SpringBootActuatorsConfigQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 241b64821e8c..ccae3a4f9297 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -1,4 +1,6 @@ /** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */ +overlay[local?] +module; import java private import semmle.code.configfiles.ConfigFiles From 0d2a4222fd14fd2290b462d990efa10026d7efb7 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 21:45:50 -0400 Subject: [PATCH 11/21] Java: add related location to alert message --- .../SpringBootActuatorsConfigQuery.qll | 41 +++++++++++++++---- .../InsecureSpringActuatorConfig.ql | 8 ++-- .../InsecureSpringActuatorConfig.expected | 8 ++-- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index ccae3a4f9297..f8ff20f9978a 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -48,9 +48,6 @@ class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { /** Holds if `management.security.enabled` is set to `false`. */ predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } } /** The configuration property `management.endpoints.web.exposure.include`. */ @@ -63,11 +60,37 @@ class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { string getValue() { result = this.getValueElement().getValue().trim() } } +private newtype TOption = + TNone() or + TSome(ApplicationPropertiesConfigPair ap) + +/** + * An option type that is either a singleton `None` or a `Some` wrapping + * the `ApplicationPropertiesConfigPair` type. + */ +class ApplicationPropertiesOption extends TOption { + /** Gets a textual representation of this element. */ + string toString() { + this = TNone() and result = "(none)" + or + result = this.asSome().toString() + } + + /** Gets the location of this element. */ + Location getLocation() { result = this.asSome().getLocation() } + + /** Gets the wrapped element, if any. */ + ApplicationPropertiesConfigPair asSome() { this = TSome(result) } + + /** Holds if this option is the singleton `None`. */ + predicate isNone() { this = TNone() } +} + /** * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom * has a vulnerable configuration of Spring Boot Actuator management endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom) { +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertiesOption apOption) { pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and exists(ApplicationPropertiesFile apFile | @@ -79,14 +102,18 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom) { springBootVersion = pom.getParentElement().getVersionString() | springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile) + not exists(ManagementSecurityConfig me | me.getFile() = apFile) and + apOption.isNone() or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile) + springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5 + exists(ManagementSecurityConfig me | + me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() + ) or springBootVersion.matches("2.%") and //version 2.x exists(ManagementEndPointInclude mi | mi.getFile() = apFile and + mi = apOption.asSome() and ( mi.getValue() = "*" // all endpoints are enabled or diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 89f3777f0c23..2437a77953df 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,9 +15,11 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, Dependency d +from SpringBootPom pom, Dependency d, ApplicationPropertiesOption apOption where - hasConfidentialEndPointExposed(pom) and + hasConfidentialEndPointExposed(pom, apOption) and d = pom.getADependency() and d.getArtifact().getValue() = "spring-boot-starter-actuator" -select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +select d, + "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + + pom.getParentElement().getVersionString() + ").", apOption, "configuration" diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index d7043f403fb7..70a6068ab3f1 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,4 +1,4 @@ -| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | +| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | From afa6610cb9978b6a283e5c8dc9700781bf062d6f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 11:00:49 -0400 Subject: [PATCH 12/21] Java: update qhelp --- .../InsecureSpringActuatorConfig.qhelp | 44 +++++++--------- .../application.properties | 22 -------- .../application_bad.properties | 10 ++++ .../application_good.properties | 11 ++++ .../InsecureSpringActuatorConfig/pom_bad.xml | 50 ------------------- .../InsecureSpringActuatorConfig/pom_good.xml | 42 +--------------- 6 files changed, 41 insertions(+), 138 deletions(-) delete mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties delete mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp index 7e31b43ba7a1..d3e79e88ed75 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp @@ -1,43 +1,35 @@ -

    Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

    - -

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

    - -

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

    +

    Spring Boot includes features called actuators that let you monitor and interact with your web + application. Exposing unprotected actuator endpoints through configuration files can lead to + information disclosure or even to remote code execution.

     -

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

    +

    Since actuator endpoints may contain sensitive information, carefully consider when to expose them, + and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring + Security, which secures actuators by default, or define a custom security configuration. +

    -

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

    +

    The following examples show application.properties configurations that expose sensitive + actuator endpoints.

    + + +

    The below configurations ensure that sensitive actuator endpoints are not exposed.

    + + +

    To use Spring Security, which secures actuators by default, add the spring-boot-starter-security + dependency in your Maven pom.xml file.

    - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators + Spring Boot Reference Documentation: + Endpoints.
  • HackerOne Report: diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties deleted file mode 100644 index 441d752508c9..000000000000 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties new file mode 100644 index 000000000000..ccf1cb678813 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties @@ -0,0 +1,10 @@ +# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default + +# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints +management.security.enabled=false + +# vulnerable configuration (Spring Boot 2.x): exposes all endpoints +management.endpoints.web.exposure.include=* + +# vulnerable configuration (Spring Boot 3.x): exposes all endpoints +management.endpoints.web.exposure.include=* diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties new file mode 100644 index 000000000000..1af2b7b0228a --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties @@ -0,0 +1,11 @@ +# safe configuration (Spring Boot 1.0 - 1.4) +management.security.enabled=true + +# safe configuration (Spring Boot 1.5+) +management.security.enabled=true + +# safe configuration (Spring Boot 2.x): exposes health and info only by default +management.endpoints.web.exposure.include=health,info + +# safe configuration (Spring Boot 3.x): exposes health only by default +management.endpoints.web.exposure.include=health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml deleted file mode 100644 index 6bca2829ac43..000000000000 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - - - org.springframework.boot - spring-boot-test - - - - diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml index 03bc257f5bda..32fad44591e5 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml @@ -1,50 +1,12 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - +... org.springframework.boot spring-boot-starter-actuator - - org.springframework.boot - spring-boot-devtools - org.springframework.boot spring-boot-starter-security - - - org.springframework.boot - spring-boot-test - - - - +... From ea35fbbe3b0183ca22e94f5a7b4c0d96513c9cd4 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 11:21:17 -0400 Subject: [PATCH 13/21] Java: support version 3.x --- .../SpringBootActuatorsConfigQuery.qll | 4 +- .../InsecureSpringActuatorConfig.expected | 9 ++-- .../bad/default/application.properties | 0 .../bad/default/pom.xml | 0 .../bad/false/application.properties | 0 .../bad/false/pom.xml | 0 .../good/application.properties | 0 .../good/pom.xml | 0 .../bad/application.properties | 0 .../{Version1.5 => Version1.5.x}/bad/pom.xml | 0 .../good/application.properties | 0 .../{Version1.5 => Version1.5.x}/good/pom.xml | 0 .../Version2+/application.properties | 14 ------ .../Version2+/bad/application.properties | 7 --- .../Version2+/good/application.properties | 2 - .../Version2.x/bad/application.properties | 2 + .../{Version2+ => Version2.x}/bad/pom.xml | 0 .../Version2.x/good/application.properties | 2 + .../{Version2+ => Version2.x}/good/pom.xml | 0 .../Version3.x/bad/application.properties | 2 + .../Version3.x/bad/pom.xml | 47 +++++++++++++++++++ .../Version3.x/good/application.properties | 2 + .../Version3.x/good/pom.xml | 47 +++++++++++++++++++ 23 files changed, 109 insertions(+), 29 deletions(-) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/default/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/default/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/false/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/false/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/good/pom.xml (100%) delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version2+ => Version2.x}/bad/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version2+ => Version2.x}/good/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index f8ff20f9978a..be78380ad3c5 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -110,7 +110,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() ) or - springBootVersion.matches("2.%") and //version 2.x + springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x exists(ManagementEndPointInclude mi | mi.getFile() = apFile and mi = apOption.asSome() and @@ -121,7 +121,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring ) ) ) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index 70a6068ab3f1..5b29b16b1bea 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,4 +1,5 @@ -| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | -| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | +| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties deleted file mode 100644 index 797906a3ca3b..000000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties deleted file mode 100644 index a2e73d7022c8..000000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties +++ /dev/null @@ -1,7 +0,0 @@ -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties deleted file mode 100644 index c14bf64b13b6..000000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties +++ /dev/null @@ -1,2 +0,0 @@ -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties new file mode 100644 index 000000000000..bbc1915b05e1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties new file mode 100644 index 000000000000..f7e0c1b43ac3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties new file mode 100644 index 000000000000..c5570065bae5 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml new file mode 100644 index 000000000000..12dab1d9421a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties new file mode 100644 index 000000000000..8ba56eadc351 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 3+): exposes health only by default. +management.endpoints.web.exposure.include=health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml new file mode 100644 index 000000000000..a8103e681e4c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 7d5e939a8604db18981a694d5a27369807474adc Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 16:57:53 -0400 Subject: [PATCH 14/21] Java: minor refactoring --- .../semmle/code/configfiles/ConfigFiles.qll | 7 +- .../SpringBootActuatorsConfigQuery.qll | 86 +++++++++---------- .../InsecureSpringActuatorConfig.ql | 10 +-- 3 files changed, 51 insertions(+), 52 deletions(-) diff --git a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll index 0c69f45c56fa..1655ed2d6484 100644 --- a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll +++ b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll @@ -70,7 +70,12 @@ class ConfigValue extends @configValue, ConfigLocatable { override string toString() { result = this.getValue() } } +/** A `.properties` file. */ +class PropertiesFile extends File { + PropertiesFile() { this.getExtension() = "properties" } +} + /** A Java property is a name-value pair in a `.properties` file. */ class JavaProperty extends ConfigPair { - JavaProperty() { this.getFile().getExtension() = "properties" } + JavaProperty() { this.getFile() instanceof PropertiesFile } } diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index be78380ad3c5..d6c889166c14 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -7,41 +7,33 @@ private import semmle.code.configfiles.ConfigFiles private import semmle.code.xml.MavenPom /** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { +private class SpringBootParent extends Parent { SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } } -/** Class of Spring Boot dependencies. */ +// TODO: private once done with version string debugging in alert msg. +/** A `Pom` with a Spring Boot parent node. */ class SpringBootPom extends Pom { SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ + /** Holds if the Spring Boot Security module is used in the project. */ predicate isSpringBootSecurityUsed() { this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" } } -/** The properties file `application.properties`. */ -class ApplicationPropertiesFile extends File { - ApplicationPropertiesFile() { this.getBaseName() = "application.properties" } -} - -/** A name-value pair stored in an `application.properties` file. */ -class ApplicationPropertiesConfigPair extends ConfigPair { - ApplicationPropertiesConfigPair() { this.getFile() instanceof ApplicationPropertiesFile } +/** A dependency with artifactId `spring-boot-starter-actuator`. */ +class SpringBootStarterActuatorDependency extends Dependency { + SpringBootStarterActuatorDependency() { + this.getArtifact().getValue() = "spring-boot-starter-actuator" + } } -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } +/** The Spring Boot configuration property `management.security.enabled`. */ +private class ManagementSecurityEnabledProperty extends JavaProperty { + ManagementSecurityEnabledProperty() { + this.getNameElement().getName() = "management.security.enabled" + } /** Gets the whitespace-trimmed value of this property. */ string getValue() { result = this.getValueElement().getValue().trim() } @@ -50,9 +42,9 @@ class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { predicate hasSecurityDisabled() { this.getValue() = "false" } } -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { - ManagementEndPointInclude() { +/** The Spring Boot configuration property `management.endpoints.web.exposure.include`. */ +private class ManagementEndpointsIncludeProperty extends JavaProperty { + ManagementEndpointsIncludeProperty() { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } @@ -62,13 +54,13 @@ class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { private newtype TOption = TNone() or - TSome(ApplicationPropertiesConfigPair ap) + TSome(JavaProperty jp) /** * An option type that is either a singleton `None` or a `Some` wrapping - * the `ApplicationPropertiesConfigPair` type. + * the `JavaProperty` type. */ -class ApplicationPropertiesOption extends TOption { +class JavaPropertyOption extends TOption { /** Gets a textual representation of this element. */ string toString() { this = TNone() and result = "(none)" @@ -80,21 +72,23 @@ class ApplicationPropertiesOption extends TOption { Location getLocation() { result = this.asSome().getLocation() } /** Gets the wrapped element, if any. */ - ApplicationPropertiesConfigPair asSome() { this = TSome(result) } + JavaProperty asSome() { this = TSome(result) } /** Holds if this option is the singleton `None`. */ predicate isNone() { this = TNone() } } /** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. + * Holds if `JavaPropertyOption` jpOption of a repository using `SpringBootStarterActuatorDependency` + * d exposes sensitive Spring Boot Actuator endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertiesOption apOption) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - exists(ApplicationPropertiesFile apFile | - apFile +predicate exposesSensitiveEndpoint( + SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +) { + exists(PropertiesFile propFile, SpringBootPom pom | + d = pom.getADependency() and + not pom.isSpringBootSecurityUsed() and + propFile .getParentContainer() .getAbsolutePath() .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory @@ -102,26 +96,26 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie springBootVersion = pom.getParentElement().getVersionString() | springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | me.getFile() = apFile) and - apOption.isNone() + not exists(ManagementSecurityEnabledProperty ep | ep.getFile() = propFile) and + jpOption.isNone() or springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5 - exists(ManagementSecurityConfig me | - me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() + exists(ManagementSecurityEnabledProperty ep | + ep.hasSecurityDisabled() and ep.getFile() = propFile and ep = jpOption.asSome() ) or springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x - exists(ManagementEndPointInclude mi | - mi.getFile() = apFile and - mi = apOption.asSome() and + exists(ManagementEndpointsIncludeProperty ip | + ip.getFile() = propFile and + ip = jpOption.asSome() and ( - mi.getValue() = "*" // all endpoints are enabled + ip.getValue() = "*" // all endpoints are exposed or - mi.getValue() + ip.getValue() .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring + ]) // sensitive endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring ) ) ) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 2437a77953df..989646c10afd 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,11 +15,11 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, Dependency d, ApplicationPropertiesOption apOption +from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption, SpringBootPom pom where - hasConfidentialEndPointExposed(pom, apOption) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" + exposesSensitiveEndpoint(d, jpOption) and + // TODO: remove pom; for debugging versions + d = pom.getADependency() select d, "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + - pom.getParentElement().getVersionString() + ").", apOption, "configuration" + pom.getParentElement().getVersionString() + ").", jpOption, "configuration" From ea529b047b0223d025b0009fb95c944196a71da8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:12:45 -0400 Subject: [PATCH 15/21] Java: adjust metadata and alert msg --- .../InsecureSpringActuatorConfig.ql | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 989646c10afd..5fb86c42b807 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -1,14 +1,14 @@ /** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. + * @name Exposed Spring Boot actuators in configuration file + * @description Exposing Spring Boot actuators through configuration files may lead to information leak from + * the internal application, or even to remote code execution. * @kind problem * @problem.severity error + * @security-severity 6.5 * @precision high - * @id java/insecure-spring-actuator-config + * @id java/spring-boot-exposed-actuators-config * @tags security - * experimental - * external/cwe/cwe-016 + * external/cwe/cwe-200 */ import java @@ -21,5 +21,5 @@ where // TODO: remove pom; for debugging versions d = pom.getADependency() select d, - "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + + "Insecure Spring Boot actuator $@ exposes sensitive endpoints (" + pom.getParentElement().getVersionString() + ").", jpOption, "configuration" From 70d51504a7372e265c0a4b500e4030590d27a8f3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:20:14 -0400 Subject: [PATCH 16/21] Java: rename to align with 'java/spring-boot-exposed-actuators' query --- .../query-suite/java-code-scanning.qls.expected | 2 +- .../java-security-and-quality.qls.expected | 2 +- .../query-suite/java-security-extended.qls.expected | 2 +- .../SpringBootActuatorsConfig.qhelp} | 0 .../SpringBootActuatorsConfig.ql} | 0 .../application_bad.properties | 0 .../application_good.properties | 0 .../pom_good.xml | 0 .../InsecureSpringActuatorConfig.qlref | 2 -- .../InsecureSpringActuatorConfig/SensitiveInfo.java | 13 ------------- .../SpringBootActuatorsConfig.expected} | 0 .../SpringBootActuatorsConfig.qlref | 2 ++ .../bad/default/application.properties | 0 .../Version1.0.x-1.4.x/bad/default/pom.xml | 0 .../bad/false/application.properties | 0 .../Version1.0.x-1.4.x/bad/false/pom.xml | 0 .../Version1.0.x-1.4.x/good/application.properties | 0 .../Version1.0.x-1.4.x/good/pom.xml | 0 .../Version1.5.x/bad/application.properties | 0 .../Version1.5.x/bad/pom.xml | 0 .../Version1.5.x/good/application.properties | 0 .../Version1.5.x/good/pom.xml | 0 .../Version2.x/bad/application.properties | 0 .../Version2.x/bad/pom.xml | 0 .../Version2.x/good/application.properties | 0 .../Version2.x/good/pom.xml | 0 .../Version3.x/bad/application.properties | 0 .../Version3.x/bad/pom.xml | 0 .../Version3.x/good/application.properties | 0 .../Version3.x/good/pom.xml | 0 .../options | 0 31 files changed, 5 insertions(+), 18 deletions(-) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp => SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp} (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql => SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql} (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/application_bad.properties (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/application_good.properties (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/pom_good.xml (100%) delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected => SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected} (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/default/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/default/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/false/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/false/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/options (100%) diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index 90b5b7ca491b..afa6cebba311 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -26,8 +26,8 @@ ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected index b203ea23a629..f5470c463c30 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected @@ -142,8 +142,8 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected index c7dac907a962..a3ebc029d287 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected @@ -45,8 +45,8 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index b826de8eed31..000000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1,2 +0,0 @@ -query: Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java deleted file mode 100644 index a3ff69c1b817..000000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref new file mode 100644 index 000000000000..eec8ba18ae18 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options From 8decc136c41155adfb10c266335e02a159777f99 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:37:53 -0400 Subject: [PATCH 17/21] Java: add change note --- .../change-notes/2025-07-17-spring-actuators-config-promo.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md diff --git a/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md new file mode 100644 index 000000000000..ec53c015fff0 --- /dev/null +++ b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* The query `java/insecure-spring-actuator-config` has been promoted from experimental to the main query pack as `java/spring-boot-exposed-actuators-config`. Its results will now appear by default. This query was originally submitted as an experimental query [by @luchua-bc](https://github.com/github/codeql/pull/5384). From 685f68d9d39f3942864eacd1daef6cd742e1eba8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 18 Jul 2025 09:50:49 -0400 Subject: [PATCH 18/21] Java: support 'management.endpoints.web.expose' property --- .../SpringBootActuatorsConfigQuery.qll | 21 +++++---- .../bad/expose/application.properties | 2 + .../Version2.x/bad/{ => expose}/pom.xml | 0 .../application.properties | 0 .../Version2.x/bad/exposure-include/pom.xml | 47 +++++++++++++++++++ 5 files changed, 61 insertions(+), 9 deletions(-) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/{ => expose}/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/{ => exposure-include}/application.properties (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index d6c889166c14..5f4ee6327759 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -42,10 +42,13 @@ private class ManagementSecurityEnabledProperty extends JavaProperty { predicate hasSecurityDisabled() { this.getValue() = "false" } } -/** The Spring Boot configuration property `management.endpoints.web.exposure.include`. */ -private class ManagementEndpointsIncludeProperty extends JavaProperty { - ManagementEndpointsIncludeProperty() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" +/** + * The Spring Boot configuration property `management.endpoints.web.exposure.include` + * or `management.endpoints.web.expose`. + */ +private class ManagementEndpointsExposeProperty extends JavaProperty { + ManagementEndpointsExposeProperty() { + this.getNameElement().getName() = "management.endpoints.web." + ["exposure.include", "expose"] } /** Gets the whitespace-trimmed value of this property. */ @@ -105,13 +108,13 @@ predicate exposesSensitiveEndpoint( ) or springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x - exists(ManagementEndpointsIncludeProperty ip | - ip.getFile() = propFile and - ip = jpOption.asSome() and + exists(ManagementEndpointsExposeProperty ep | + ep.getFile() = propFile and + ep = jpOption.asSome() and ( - ip.getValue() = "*" // all endpoints are exposed + ep.getValue() = "*" // all endpoints are exposed or - ip.getValue() + ep.getValue() .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties new file mode 100644 index 000000000000..338b1fb3a9c1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2.0.0.RC1): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.expose=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 7250265c1f109ae9a80e695dc316b8ac3f39285f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 18 Jul 2025 17:32:35 -0400 Subject: [PATCH 19/21] Java: consider all endpoints except for health and info as sensitive to align with Spring docs --- .../SpringBootActuatorsConfigQuery.qll | 15 +++--- .../SpringBootActuatorsConfig.expected | 7 ++- .../{ => all-exposed}/application.properties | 0 .../{ => all-exposed}/pom.xml | 0 .../some-exposed/application.properties | 2 + .../bad/exposure-include/some-exposed/pom.xml | 47 +++++++++++++++++++ .../{ => all-exposed}/application.properties | 0 .../Version3.x/bad/{ => all-exposed}/pom.xml | 0 .../bad/some-exposed/application.properties | 2 + .../Version3.x/bad/some-exposed/pom.xml | 47 +++++++++++++++++++ 10 files changed, 112 insertions(+), 8 deletions(-) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/{ => all-exposed}/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/{ => all-exposed}/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/{ => all-exposed}/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/{ => all-exposed}/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 5f4ee6327759..19cb9c30ca97 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -112,13 +112,16 @@ predicate exposesSensitiveEndpoint( ep.getFile() = propFile and ep = jpOption.asSome() and ( - ep.getValue() = "*" // all endpoints are exposed + // all endpoints are exposed + ep.getValue() = "*" or - ep.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", - "%env%", "%beans%", "%sessions%" - ]) // sensitive endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring + // version 2.x: exposes health and info only by default + springBootVersion.matches("2.%") and + not ep.getValue() = ["health", "info"] + or + // version 3.x: exposes health only by default + springBootVersion.matches("3.%") and + not ep.getValue() = "health" ) ) ) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected index 5b29b16b1bea..345d001a1f58 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected @@ -1,5 +1,8 @@ | Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | | Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | | Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | +| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties new file mode 100644 index 000000000000..1f29407c1923 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to also expose beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties new file mode 100644 index 000000000000..27d08eac74f6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to also expose info and beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml new file mode 100644 index 000000000000..12dab1d9421a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 0dd33b273437cfa85904760e6f4b9366fca12a81 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 13:01:00 -0400 Subject: [PATCH 20/21] Java: remove version debugging from alert message --- .../java/security/SpringBootActuatorsConfigQuery.qll | 3 +-- .../SpringBootActuatorsConfig.ql | 11 +++-------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 19cb9c30ca97..163cd46d5d86 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -11,9 +11,8 @@ private class SpringBootParent extends Parent { SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } } -// TODO: private once done with version string debugging in alert msg. /** A `Pom` with a Spring Boot parent node. */ -class SpringBootPom extends Pom { +private class SpringBootPom extends Pom { SpringBootPom() { this.getParentElement() instanceof SpringBootParent } /** Holds if the Spring Boot Security module is used in the project. */ diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql index 5fb86c42b807..562298257a7d 100644 --- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql @@ -15,11 +15,6 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption, SpringBootPom pom -where - exposesSensitiveEndpoint(d, jpOption) and - // TODO: remove pom; for debugging versions - d = pom.getADependency() -select d, - "Insecure Spring Boot actuator $@ exposes sensitive endpoints (" + - pom.getParentElement().getVersionString() + ").", jpOption, "configuration" +from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +where exposesSensitiveEndpoint(d, jpOption) +select d, "Insecure Spring Boot actuator $@ exposes sensitive endpoints.", jpOption, "configuration" From c9692a6d105cbfc1015804f6ac891704fb1f13c4 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 13:27:09 -0400 Subject: [PATCH 21/21] Java: fix test failures cause by alert msg change --- .../SpringBootActuatorsConfig.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected index 345d001a1f58..8845d970df2a 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected @@ -1,8 +1,8 @@ -| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | -| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | -| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | -| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | file://:0:0:0:0 | (none) | configuration | +| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | +| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration |