diff --git a/java/src/qlpack.yml b/java/src/qlpack.yml index e78130b9..da9a10f8 100644 --- a/java/src/qlpack.yml +++ b/java/src/qlpack.yml @@ -1,6 +1,6 @@ library: false name: githubsecuritylab/codeql-java-queries -version: 0.2.1 +version: 0.2.2 suites: suites defaultSuiteFile: suites/java.qls dependencies: diff --git a/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp deleted file mode 100644 index e2011567..00000000 --- a/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp +++ /dev/null @@ -1,47 +0,0 @@ - - - -

Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

- -

Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

- -

Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

- - - -

Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

- - - -

The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

- - - - - - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators -
    • -
  • - HackerOne Report: - Spring Actuator endpoints publicly available, leading to account takeover -
    • -     -     diff --git a/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql b/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql deleted file mode 100644 index 393e3006..00000000 --- a/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql +++ /dev/null @@ -1,118 +0,0 @@ -/** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id githubsecuritylab/java/insecure-spring-actuator-config - * @tags security - * external/cwe/cwe-016 - */ - -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - -import java -import semmle.code.configfiles.ConfigFiles -import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} - -from SpringBootPom pom, ApplicationProperties ap, Dependency d -where - hasConfidentialEndPointExposed(pom, ap) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" -select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." diff --git a/java/src/security/CWE-016/application.properties b/java/src/security/CWE-016/application.properties deleted file mode 100644 index 4f5defdd..00000000 --- a/java/src/security/CWE-016/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/src/security/CWE-016/pom_bad.xml b/java/src/security/CWE-016/pom_bad.xml deleted file mode 100644 index 9dd5c9c1..00000000 --- a/java/src/security/CWE-016/pom_bad.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/src/security/CWE-016/pom_good.xml b/java/src/security/CWE-016/pom_good.xml deleted file mode 100644 index 89f577f2..00000000 --- a/java/src/security/CWE-016/pom_good.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - org.springframework.boot - spring-boot-starter-security - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected deleted file mode 100644 index 48630293..00000000 --- a/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected +++ /dev/null @@ -1 +0,0 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index a0974149..00000000 --- a/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1 +0,0 @@ -security/CWE-016/InsecureSpringActuatorConfig.ql \ No newline at end of file diff --git a/java/test/security/CWE-016/SensitiveInfo.java b/java/test/security/CWE-016/SensitiveInfo.java deleted file mode 100644 index a3ff69c1..00000000 --- a/java/test/security/CWE-016/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/test/security/CWE-016/application.properties b/java/test/security/CWE-016/application.properties deleted file mode 100644 index 797906a3..00000000 --- a/java/test/security/CWE-016/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/test/security/CWE-016/options b/java/test/security/CWE-016/options deleted file mode 100644 index a7b10cd2..00000000 --- a/java/test/security/CWE-016/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x diff --git a/java/test/security/CWE-016/pom.xml b/java/test/security/CWE-016/pom.xml deleted file mode 100644 index a9d5fa92..00000000 --- a/java/test/security/CWE-016/pom.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file