diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..538620550efc --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java @@ -0,0 +1,22 @@ +@Configuration(proxyBeanMethods = false) +public class SpringBootActuators extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().permitAll()); + } +} + +@Configuration(proxyBeanMethods = false) +public class ActuatorSecurity extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + http.httpBasic(); + } +} \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp new file mode 100644 index 000000000000..53ee653aaff3 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp @@ -0,0 +1,39 @@ + + + +

Spring Boot includes a number of additional features called actuators that let you monitor +and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP +can, however, lead to information disclosure or even to remote code execution vulnerability.

+ + + +

Since actuator endpoints may contain sensitive information, careful consideration should be +given about when to expose them. You should take care to secure exposed HTTP endpoints in the same +way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by +default using Spring Security’s content-negotiation strategy. If you wish to configure custom +security for HTTP endpoints, for example, only allow users with a certain role to access them, +Spring Boot provides some convenient RequestMatcher objects that can be used in +combination with Spring Security.

+ + + +

In the first example, the custom security configuration allows unauthenticated access to all +actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

+

In the second example, only users with ENDPOINT_ADMIN role are allowed to access +the actuator endpoints.

+ + + + + +
  • +Spring Boot documentation: +Actuators. +
    • +
  • +Exploiting Spring Boot Actuators +
    • +     +     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql new file mode 100644 index 000000000000..85daa77cc560 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql @@ -0,0 +1,18 @@ +/** + * @name Exposed Spring Boot actuators + * @description Exposing Spring Boot actuators may lead to internal application's information leak + * or even to remote code execution. + * @kind problem + * @problem.severity error + * @precision high + * @id java/spring-boot-exposed-actuators + * @tags security + * external/cwe/cwe-16 + */ + +import java +import SpringBootActuators + +from PermitAllCall permitAllCall +where permitAllCall.permitsSpringBootActuators() +select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll new file mode 100644 index 000000000000..658983f2437b --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll @@ -0,0 +1,141 @@ +import java + +/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ +class TypeHttpSecurity extends Class { + TypeHttpSecurity() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web.builders", + "HttpSecurity") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. + */ +class TypeAuthorizedUrl extends Class { + TypeAuthorizedUrl() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web.configurers", + "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. + */ +class TypeAbstractRequestMatcherRegistry extends Class { + TypeAbstractRequestMatcherRegistry() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web", + "AbstractRequestMatcherRegistry>") + } +} + +/** + * The class + * `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest.EndpointRequestMatcher`. + */ +class TypeEndpointRequestMatcher extends Class { + TypeEndpointRequestMatcher() { + this + .hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", + "EndpointRequest$EndpointRequestMatcher") + } +} + +/** + * A call to `HttpSecurity.requestMatcher` method with argument of type + * `EndpointRequestMatcher`. + */ +class RequestMatcherCall extends MethodAccess { + RequestMatcherCall() { + getMethod().hasName("requestMatcher") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity and + getArgument(0).getType() instanceof TypeEndpointRequestMatcher + } +} + +/** + * A call to `HttpSecurity.requestMatchers` method with lambda argument resolving to + * `EndpointRequestMatcher` type. + */ +class RequestMatchersCall extends MethodAccess { + RequestMatchersCall() { + getMethod().hasName("requestMatchers") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity and + getArgument(0).(LambdaExpr).getExprBody().getType() instanceof TypeEndpointRequestMatcher + } +} + +/** A call to `HttpSecurity.authorizeRequests` method. */ +class AuthorizeRequestsCall extends MethodAccess { + AuthorizeRequestsCall() { + getMethod().hasName("authorizeRequests") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to `AuthorizedUrl.permitAll` method. */ +class PermitAllCall extends MethodAccess { + PermitAllCall() { + getMethod().hasName("permitAll") and + getMethod().getDeclaringType() instanceof TypeAuthorizedUrl + } + + /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ + predicate permitsSpringBootActuators() { + exists(AuthorizeRequestsCall authorizeRequestsCall | + // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall + or + // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall + or + // http.authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof VarAccess + | + // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and + ( + this.getQualifier() instanceof AnyRequestCall or + this.getQualifier() instanceof RegistryRequestMatchersCall + ) + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + // [...].authorizeRequests().anyRequest().permitAll() + authorizeRequestsCall.getNumArgument() = 0 and + exists(RegistryRequestMatchersCall registryRequestMatchersCall | + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = registryRequestMatchersCall + ) + or + exists(AnyRequestCall anyRequestCall | + anyRequestCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = anyRequestCall + ) + ) + } +} + +/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ +class AnyRequestCall extends MethodAccess { + AnyRequestCall() { + getMethod().hasName("anyRequest") and + getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry + } +} + +/** + * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument of type + * `EndpointRequestMatcher`. + */ +class RegistryRequestMatchersCall extends MethodAccess { + RegistryRequestMatchersCall() { + getMethod().hasName("requestMatchers") and + getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and + getAnArgument().getType() instanceof TypeEndpointRequestMatcher + } +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected new file mode 100644 index 000000000000..f2874e3694d1 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected @@ -0,0 +1,7 @@ +| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..b554a7bac7e1 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java @@ -0,0 +1,40 @@ +import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +public class SpringBootActuators { + protected void configure(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configure2(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure3(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure4(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configure5(HttpSecurity http) throws Exception { + http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure6(HttpSecurity http) throws Exception { + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); + } + + protected void configure7(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOk1(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOk2(HttpSecurity http) throws Exception { + http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); + } +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref new file mode 100644 index 000000000000..ec49ecd718c2 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-016/SpringBootActuators.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/options b/java/ql/test/experimental/query-tests/security/CWE-016/options new file mode 100644 index 000000000000..aeef8fc5abc7 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3 diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java new file mode 100644 index 000000000000..692a7ae417d0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java new file mode 100644 index 000000000000..5d857ca2df29 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface HierarchicalBeanFactory extends BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java new file mode 100644 index 000000000000..d6fe32875da0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface ListableBeanFactory extends BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java new file mode 100644 index 000000000000..5b94a086e8f4 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java @@ -0,0 +1,15 @@ +package org.springframework.boot.actuate.autoconfigure.security.servlet; + +import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher; +import org.springframework.web.context.WebApplicationContext; + +public final class EndpointRequest { + public static EndpointRequestMatcher toAnyEndpoint() { + return null; + } + + public static final class EndpointRequestMatcher extends AbstractRequestMatcher {} + + private abstract static class AbstractRequestMatcher + extends ApplicationContextRequestMatcher {} +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java new file mode 100644 index 000000000000..19676a1452a3 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java @@ -0,0 +1,5 @@ +package org.springframework.boot.security.servlet; + +import org.springframework.security.web.util.matcher.RequestMatcher; + +public abstract class ApplicationContextRequestMatcher implements RequestMatcher {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java new file mode 100644 index 000000000000..e8b0ed28edae --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java @@ -0,0 +1,9 @@ +package org.springframework.context; + +import org.springframework.beans.factory.HierarchicalBeanFactory; +import org.springframework.beans.factory.ListableBeanFactory; +import org.springframework.core.env.EnvironmentCapable; +import org.springframework.core.io.support.ResourcePatternResolver; + +public interface ApplicationContext extends EnvironmentCapable, ListableBeanFactory, HierarchicalBeanFactory, + MessageSource, ApplicationEventPublisher, ResourcePatternResolver {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java new file mode 100644 index 000000000000..b4b659ff72e0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java @@ -0,0 +1,6 @@ +package org.springframework.context; + +@FunctionalInterface +public interface ApplicationEventPublisher { + void publishEvent(Object event); +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java new file mode 100644 index 000000000000..1012702926dc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java @@ -0,0 +1,3 @@ +package org.springframework.context; + +public interface MessageSource {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java new file mode 100644 index 000000000000..09490c33fa5c --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java @@ -0,0 +1,3 @@ +package org.springframework.core.env; + +public interface EnvironmentCapable {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java new file mode 100644 index 000000000000..0422a77c54c9 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java @@ -0,0 +1,3 @@ +package org.springframework.core.io; + +public interface ResourceLoader {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java new file mode 100644 index 000000000000..b23a5c73cdea --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java @@ -0,0 +1,5 @@ +package org.springframework.core.io.support; + +import org.springframework.core.io.ResourceLoader; + +public interface ResourcePatternResolver extends ResourceLoader {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java new file mode 100644 index 000000000000..5037bd499a1d --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java @@ -0,0 +1,6 @@ +package org.springframework.security.config; + +@FunctionalInterface +public interface Customizer { + void customize(T t); +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java new file mode 100644 index 000000000000..6ef43f44d94c --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java @@ -0,0 +1,4 @@ +package org.springframework.security.config.annotation; + +public abstract class AbstractConfiguredSecurityBuilder> + extends AbstractSecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java new file mode 100644 index 000000000000..c9ee05b5c788 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public abstract class AbstractSecurityBuilder implements SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java new file mode 100644 index 000000000000..0ec0cfc30ccf --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public interface SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java new file mode 100644 index 000000000000..bde989db998d --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public interface SecurityConfigurer> {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java new file mode 100644 index 000000000000..f44385219bdd --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java @@ -0,0 +1,4 @@ +package org.springframework.security.config.annotation; + +public abstract class SecurityConfigurerAdapter> + implements SecurityConfigurer {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java new file mode 100644 index 000000000000..70c3fb15b8fd --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java @@ -0,0 +1,13 @@ +package org.springframework.security.config.annotation.web; + +import org.springframework.security.web.util.matcher.RequestMatcher; + +public abstract class AbstractRequestMatcherRegistry { + public C anyRequest() { + return null; + } + + public C requestMatchers(RequestMatcher... requestMatchers) { + return null; + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java new file mode 100644 index 000000000000..d69f989a1ed3 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java @@ -0,0 +1,7 @@ +package org.springframework.security.config.annotation.web; + +import org.springframework.security.config.annotation.SecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; + +public interface HttpSecurityBuilder> extends + SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java new file mode 100644 index 000000000000..7e4f1dceed44 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -0,0 +1,43 @@ +package org.springframework.security.config.annotation.web.builders; + +import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder; +import org.springframework.security.config.annotation.SecurityBuilder; +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; +import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; + +public final class HttpSecurity extends AbstractConfiguredSecurityBuilder + implements SecurityBuilder, HttpSecurityBuilder { + + public HttpSecurity requestMatcher(RequestMatcher requestMatcher) { + return this; + } + + public HttpSecurity authorizeRequests( + Customizer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) + throws Exception { + return this; + } + + public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() + throws Exception { + return null; + } + + public HttpSecurity requestMatchers(Customizer requestMatcherCustomizer) { + return this; + } + + public RequestMatcherConfigurer requestMatchers() { + return null; + } + + public final class MvcMatchersRequestMatcherConfigurer extends RequestMatcherConfigurer { + } + + public class RequestMatcherConfigurer extends AbstractRequestMatcherRegistry { + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java new file mode 100644 index 000000000000..b6e75cafadbf --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java @@ -0,0 +1,6 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; + +public abstract class AbstractConfigAttributeRequestMatcherRegistry extends + AbstractRequestMatcherRegistry {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java new file mode 100644 index 000000000000..7a1b56d5f3fc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java @@ -0,0 +1,8 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.SecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; + +public abstract class AbstractHttpConfigurer, B extends HttpSecurityBuilder> + extends SecurityConfigurerAdapter {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java new file mode 100644 index 000000000000..c5c56d567098 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java @@ -0,0 +1,10 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; + +abstract class AbstractInterceptUrlConfigurer, H extends HttpSecurityBuilder> + extends AbstractHttpConfigurer { + abstract class AbstractInterceptUrlRegistry, T> + extends AbstractConfigAttributeRequestMatcherRegistry { + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java new file mode 100644 index 000000000000..012997dc5024 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java @@ -0,0 +1,16 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; + +public final class ExpressionUrlAuthorizationConfigurer> + extends AbstractInterceptUrlConfigurer, H> { + public class ExpressionInterceptUrlRegistry extends + ExpressionUrlAuthorizationConfigurer.AbstractInterceptUrlRegistry { + } + + public class AuthorizedUrl { + public ExpressionInterceptUrlRegistry permitAll() { + return null; + } + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java new file mode 100644 index 000000000000..fbd1ff753e69 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java @@ -0,0 +1,3 @@ +package org.springframework.security.web; + +public final class DefaultSecurityFilterChain implements SecurityFilterChain {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java new file mode 100644 index 000000000000..4ecef359d1a0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java @@ -0,0 +1,3 @@ +package org.springframework.security.web; + +public interface SecurityFilterChain {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java new file mode 100644 index 000000000000..05d7a2552dbc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java @@ -0,0 +1,3 @@ +package org.springframework.security.web.util.matcher; + +public interface RequestMatcher {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java new file mode 100644 index 000000000000..16b5d13fd6ef --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java @@ -0,0 +1,5 @@ +package org.springframework.web.context; + +import org.springframework.context.ApplicationContext; + +public interface WebApplicationContext extends ApplicationContext {}