From fda4ab155ad95e6176a26ff1c67a21682d7b626d Mon Sep 17 00:00:00 2001 From: Grzegorz Golawski Date: Sun, 23 Feb 2020 20:03:41 +0100 Subject: [PATCH 1/6] CodeQL query to detect open Spring Boot actuator endpoints --- .../CWE/CWE-016/SpringBootActuators.java | 22 +++ .../CWE/CWE-016/SpringBootActuators.qhelp | 36 +++++ .../CWE/CWE-016/SpringBootActuators.ql | 18 +++ .../CWE/CWE-016/SpringBootActuators.qll | 143 ++++++++++++++++++ .../security/CWE-016/SpringBootActuators.java | 40 +++++ .../CWE-016/SpringBootActuators.qlref | 1 + 6 files changed, 260 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..63b9aadbc10b --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java @@ -0,0 +1,22 @@ +@Configuration(proxyBeanMethods = false) +public class ActuatorSecurity extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().permitAll()); + } +} + +@Configuration(proxyBeanMethods = false) +public class ActuatorSecurity extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + http.httpBasic(); + } +} \ No newline at end of file diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp new file mode 100644 index 000000000000..1e2fe6518601 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp @@ -0,0 +1,36 @@ + + + +

Spring Boot includes a number of additional features called actuators that let you monitor +and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP +can, however, lead to information disclosure or even to remote code execution vulnerability.

+ + + +

Since actuator endpoints may contain sensitive information, careful consideration should be +given about when to expose them. You should take care to secure exposed HTTP endpoints in the same +way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by +default using Spring Security’s content-negotiation strategy. If you wish to configure custom +security for HTTP endpoints, for example, only allow users with a certain role to access them, +Spring Boot provides some convenient RequestMatcher objects that can be used in +combination with Spring Security.

+ + + +

In the first example, the custom security configuration allows unauthenticated access to all +actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

+

In the second example, only users with ENDPOINT_ADMIN role are allowed to access +the actuator endpoints.

+ + + + + +
  • +Spring Boot documentation: +Actuators. +
    • +     +     diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql new file mode 100644 index 000000000000..85daa77cc560 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql @@ -0,0 +1,18 @@ +/** + * @name Exposed Spring Boot actuators + * @description Exposing Spring Boot actuators may lead to internal application's information leak + * or even to remote code execution. + * @kind problem + * @problem.severity error + * @precision high + * @id java/spring-boot-exposed-actuators + * @tags security + * external/cwe/cwe-16 + */ + +import java +import SpringBootActuators + +from PermitAllCall permitAllCall +where permitAllCall.permitsSpringBootActuators() +select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll new file mode 100644 index 000000000000..36223e4b6e66 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll @@ -0,0 +1,143 @@ +import java + +/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ +class TypeHttpSecurity extends Class { + TypeHttpSecurity() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web.builders", + "HttpSecurity") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. + */ +class TypeAuthorizedUrl extends Class { + TypeAuthorizedUrl() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web.configurers", + "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. + */ +class TypeAbstractRequestMatcherRegistry extends Class { + TypeAbstractRequestMatcherRegistry() { + this + .hasQualifiedName("org.springframework.security.config.annotation.web", + "AbstractRequestMatcherRegistry>") + } +} + +/** + * The class + * `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest.EndpointRequestMatcher`. + */ +class TypeEndpointRequestMatcher extends Class { + TypeEndpointRequestMatcher() { + this + .hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", + "EndpointRequest$EndpointRequestMatcher") + } +} + +/** + * A call to `HttpSecurity.requestMatcher` method with argument of type + * `EndpointRequestMatcher`. + */ +class RequestMatcherCall extends MethodAccess { + RequestMatcherCall() { + getMethod().hasName("requestMatcher") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity and + getArgument(0).getType() instanceof TypeEndpointRequestMatcher + } +} + +/** + * A call to `HttpSecurity.requestMatchers` method with lambda argument resolving to + * `EndpointRequestMatcher` type. + */ +class RequestMatchersCall extends MethodAccess { + RequestMatchersCall() { + getMethod().hasName("requestMatchers") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity and + getArgument(0).(LambdaExpr).getExprBody().getType() instanceof TypeEndpointRequestMatcher + } +} + +/** A call to `HttpSecurity.authorizeRequests` method. */ +class AuthorizeRequestsCall extends MethodAccess { + AuthorizeRequestsCall() { + getMethod().hasName("authorizeRequests") and + getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to `AuthorizedUrl.permitAll` method. */ +class PermitAllCall extends MethodAccess { + PermitAllCall() { + getMethod().hasName("permitAll") and + getMethod().getDeclaringType() instanceof TypeAuthorizedUrl + } + + /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ + predicate permitsSpringBootActuators() { + exists( + RequestMatcherCall requestMatcherCall, RequestMatchersCall requestMatchersCall, + RegistryRequestMatchersCall registryRequestMatchersCall, + AuthorizeRequestsCall authorizeRequestsCall, AnyRequestCall anyRequestCall + | + // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() = requestMatcherCall + or + // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() = requestMatchersCall + or + // http.authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof VarAccess + | + // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and + ( + this.getQualifier() = anyRequestCall or + this.getQualifier() = registryRequestMatchersCall + ) + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + // [...].authorizeRequests().anyRequest().permitAll() + authorizeRequestsCall.getNumArgument() = 0 and + ( + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = registryRequestMatchersCall + ) + or + anyRequestCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = anyRequestCall + ) + } +} + +/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ +class AnyRequestCall extends MethodAccess { + AnyRequestCall() { + getMethod().hasName("anyRequest") and + getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry + } +} + +/** + * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument of type + * `EndpointRequestMatcher`. + */ +class RegistryRequestMatchersCall extends MethodAccess { + RegistryRequestMatchersCall() { + getMethod().hasName("requestMatchers") and + getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and + getAnArgument().getType() instanceof TypeEndpointRequestMatcher + } +} diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..920a1ff05c0a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java @@ -0,0 +1,40 @@ +import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +public class ActuatorSecurityConfig { + protected void configure(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configure2(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure3(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure4(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configure5(HttpSecurity http) throws Exception { + http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure6(HttpSecurity http) throws Exception { + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); + } + + protected void configure7(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOk1(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOk2(HttpSecurity http) throws Exception { + http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); + } +} diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref new file mode 100644 index 000000000000..abd5f2a75991 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-016/SpringBootActuators.ql From f05b2af69dd47846ae41bc9eef56ef9b5a8d685b Mon Sep 17 00:00:00 2001 From: Grzegorz Golawski Date: Fri, 3 Apr 2020 00:27:51 +0200 Subject: [PATCH 2/6] Move to experimental --- .../Security/CWE/CWE-016/SpringBootActuators.java | 0 .../Security/CWE/CWE-016/SpringBootActuators.qhelp | 3 +++ .../Security/CWE/CWE-016/SpringBootActuators.ql | 0 .../Security/CWE/CWE-016/SpringBootActuators.qll | 0 .../query-tests/security/CWE-016/SpringBootActuators.java | 2 +- .../query-tests/security/CWE-016/SpringBootActuators.qlref | 0 6 files changed, 4 insertions(+), 1 deletion(-) rename java/ql/src/{ => experimental}/Security/CWE/CWE-016/SpringBootActuators.java (100%) rename java/ql/src/{ => experimental}/Security/CWE/CWE-016/SpringBootActuators.qhelp (92%) rename java/ql/src/{ => experimental}/Security/CWE/CWE-016/SpringBootActuators.ql (100%) rename java/ql/src/{ => experimental}/Security/CWE/CWE-016/SpringBootActuators.qll (100%) rename java/ql/test/{ => experimental}/query-tests/security/CWE-016/SpringBootActuators.java (97%) rename java/ql/test/{ => experimental}/query-tests/security/CWE-016/SpringBootActuators.qlref (100%) diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java similarity index 100% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java rename to java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp similarity index 92% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp rename to java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp index 1e2fe6518601..53ee653aaff3 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp @@ -32,5 +32,8 @@ the actuator endpoints.

    Spring Boot documentation: Actuators. +
  • +Exploiting Spring Boot Actuators +
    • diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql similarity index 100% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql rename to java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll similarity index 100% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll rename to java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java similarity index 97% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java rename to java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java index 920a1ff05c0a..b554a7bac7e1 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java @@ -1,7 +1,7 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -public class ActuatorSecurityConfig { +public class SpringBootActuators { protected void configure(HttpSecurity http) throws Exception { http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); } diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref similarity index 100% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref rename to java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref From 6ca963a8c89cfe541fefeb7a259f099554a8ffec Mon Sep 17 00:00:00 2001 From: Grzegorz Golawski Date: Fri, 3 Apr 2020 00:30:02 +0200 Subject: [PATCH 3/6] Fix --- .../experimental/Security/CWE/CWE-016/SpringBootActuators.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java index 63b9aadbc10b..538620550efc 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java @@ -1,5 +1,5 @@ @Configuration(proxyBeanMethods = false) -public class ActuatorSecurity extends WebSecurityConfigurerAdapter { +public class SpringBootActuators extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { From 79d7ea36ffef2cf1759ee4807f2198edcf14b8e6 Mon Sep 17 00:00:00 2001 From: ggolawski <35563296+ggolawski@users.noreply.github.com> Date: Fri, 3 Apr 2020 21:36:34 +0200 Subject: [PATCH 4/6] Update java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll Co-Authored-By: Anders Schack-Mulligen --- .../CWE/CWE-016/SpringBootActuators.qll | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll index 36223e4b6e66..658983f2437b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll @@ -86,16 +86,12 @@ class PermitAllCall extends MethodAccess { /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ predicate permitsSpringBootActuators() { - exists( - RequestMatcherCall requestMatcherCall, RequestMatchersCall requestMatchersCall, - RegistryRequestMatchersCall registryRequestMatchersCall, - AuthorizeRequestsCall authorizeRequestsCall, AnyRequestCall anyRequestCall - | + exists(AuthorizeRequestsCall authorizeRequestsCall | // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() = requestMatcherCall + authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall or // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() = requestMatchersCall + authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall or // http.authorizeRequests([...]).[...] authorizeRequestsCall.getQualifier() instanceof VarAccess @@ -104,20 +100,22 @@ class PermitAllCall extends MethodAccess { // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and ( - this.getQualifier() = anyRequestCall or - this.getQualifier() = registryRequestMatchersCall + this.getQualifier() instanceof AnyRequestCall or + this.getQualifier() instanceof RegistryRequestMatchersCall ) or // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or // [...].authorizeRequests().anyRequest().permitAll() authorizeRequestsCall.getNumArgument() = 0 and - ( + exists(RegistryRequestMatchersCall registryRequestMatchersCall | registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and this.getQualifier() = registryRequestMatchersCall ) or - anyRequestCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = anyRequestCall + exists(AnyRequestCall anyRequestCall | + anyRequestCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = anyRequestCall + ) ) } } From 1d8da905ac02510bec59271e23012ee48cd9d741 Mon Sep 17 00:00:00 2001 From: Grzegorz Golawski Date: Fri, 3 Apr 2020 21:44:13 +0200 Subject: [PATCH 5/6] Make the test runnable via codeql test run --- java/ql/src/experimental/qlpack.yml | 3 ++ java/ql/test/experimental/qlpack.yml | 4 ++ .../CWE-016/SpringBootActuators.expected | 7 +++ .../query-tests/security/CWE-016/options | 1 + .../beans/factory/BeanFactory.java | 3 ++ .../factory/HierarchicalBeanFactory.java | 3 ++ .../beans/factory/ListableBeanFactory.java | 3 ++ .../security/servlet/EndpointRequest.java | 15 +++++++ .../ApplicationContextRequestMatcher.java | 5 +++ .../context/ApplicationContext.java | 9 ++++ .../context/ApplicationEventPublisher.java | 6 +++ .../context/MessageSource.java | 3 ++ .../core/env/EnvironmentCapable.java | 3 ++ .../core/io/ResourceLoader.java | 3 ++ .../io/support/ResourcePatternResolver.java | 5 +++ .../security/config/Customizer.java | 6 +++ .../AbstractConfiguredSecurityBuilder.java | 4 ++ .../annotation/AbstractSecurityBuilder.java | 3 ++ .../config/annotation/SecurityBuilder.java | 3 ++ .../config/annotation/SecurityConfigurer.java | 3 ++ .../annotation/SecurityConfigurerAdapter.java | 4 ++ .../web/AbstractRequestMatcherRegistry.java | 13 ++++++ .../annotation/web/HttpSecurityBuilder.java | 7 +++ .../annotation/web/builders/HttpSecurity.java | 43 +++++++++++++++++++ ...ConfigAttributeRequestMatcherRegistry.java | 6 +++ .../configurers/AbstractHttpConfigurer.java | 8 ++++ .../AbstractInterceptUrlConfigurer.java | 10 +++++ .../ExpressionUrlAuthorizationConfigurer.java | 16 +++++++ .../web/DefaultSecurityFilterChain.java | 3 ++ .../security/web/SecurityFilterChain.java | 3 ++ .../web/util/matcher/RequestMatcher.java | 3 ++ .../web/context/WebApplicationContext.java | 5 +++ 32 files changed, 213 insertions(+) create mode 100644 java/ql/src/experimental/qlpack.yml create mode 100644 java/ql/test/experimental/qlpack.yml create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/options create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java create mode 100644 java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java diff --git a/java/ql/src/experimental/qlpack.yml b/java/ql/src/experimental/qlpack.yml new file mode 100644 index 000000000000..090a3e8359bc --- /dev/null +++ b/java/ql/src/experimental/qlpack.yml @@ -0,0 +1,3 @@ +name: codeql-java-experimental +version: 0.0.0 +libraryPathDependencies: codeql-java diff --git a/java/ql/test/experimental/qlpack.yml b/java/ql/test/experimental/qlpack.yml new file mode 100644 index 000000000000..4b7a7635a6c7 --- /dev/null +++ b/java/ql/test/experimental/qlpack.yml @@ -0,0 +1,4 @@ +name: codeql-java-experimental-tests +version: 0.0.0 +libraryPathDependencies: codeql-java-experimental +extractor: java diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected new file mode 100644 index 000000000000..f2874e3694d1 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected @@ -0,0 +1,7 @@ +| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/options b/java/ql/test/experimental/query-tests/security/CWE-016/options new file mode 100644 index 000000000000..aeef8fc5abc7 --- /dev/null +++ b/java/ql/test/experimental/query-tests/security/CWE-016/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3 diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java new file mode 100644 index 000000000000..692a7ae417d0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java new file mode 100644 index 000000000000..5d857ca2df29 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/HierarchicalBeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface HierarchicalBeanFactory extends BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java new file mode 100644 index 000000000000..d6fe32875da0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/beans/factory/ListableBeanFactory.java @@ -0,0 +1,3 @@ +package org.springframework.beans.factory; + +public interface ListableBeanFactory extends BeanFactory {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java new file mode 100644 index 000000000000..5b94a086e8f4 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java @@ -0,0 +1,15 @@ +package org.springframework.boot.actuate.autoconfigure.security.servlet; + +import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher; +import org.springframework.web.context.WebApplicationContext; + +public final class EndpointRequest { + public static EndpointRequestMatcher toAnyEndpoint() { + return null; + } + + public static final class EndpointRequestMatcher extends AbstractRequestMatcher {} + + private abstract static class AbstractRequestMatcher + extends ApplicationContextRequestMatcher {} +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java new file mode 100644 index 000000000000..19676a1452a3 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/boot/security/servlet/ApplicationContextRequestMatcher.java @@ -0,0 +1,5 @@ +package org.springframework.boot.security.servlet; + +import org.springframework.security.web.util.matcher.RequestMatcher; + +public abstract class ApplicationContextRequestMatcher implements RequestMatcher {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java new file mode 100644 index 000000000000..e8b0ed28edae --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationContext.java @@ -0,0 +1,9 @@ +package org.springframework.context; + +import org.springframework.beans.factory.HierarchicalBeanFactory; +import org.springframework.beans.factory.ListableBeanFactory; +import org.springframework.core.env.EnvironmentCapable; +import org.springframework.core.io.support.ResourcePatternResolver; + +public interface ApplicationContext extends EnvironmentCapable, ListableBeanFactory, HierarchicalBeanFactory, + MessageSource, ApplicationEventPublisher, ResourcePatternResolver {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java new file mode 100644 index 000000000000..b4b659ff72e0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/ApplicationEventPublisher.java @@ -0,0 +1,6 @@ +package org.springframework.context; + +@FunctionalInterface +public interface ApplicationEventPublisher { + void publishEvent(Object event); +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java new file mode 100644 index 000000000000..1012702926dc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/context/MessageSource.java @@ -0,0 +1,3 @@ +package org.springframework.context; + +public interface MessageSource {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java new file mode 100644 index 000000000000..09490c33fa5c --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/env/EnvironmentCapable.java @@ -0,0 +1,3 @@ +package org.springframework.core.env; + +public interface EnvironmentCapable {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java new file mode 100644 index 000000000000..0422a77c54c9 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/ResourceLoader.java @@ -0,0 +1,3 @@ +package org.springframework.core.io; + +public interface ResourceLoader {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java new file mode 100644 index 000000000000..b23a5c73cdea --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/core/io/support/ResourcePatternResolver.java @@ -0,0 +1,5 @@ +package org.springframework.core.io.support; + +import org.springframework.core.io.ResourceLoader; + +public interface ResourcePatternResolver extends ResourceLoader {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java new file mode 100644 index 000000000000..5037bd499a1d --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/Customizer.java @@ -0,0 +1,6 @@ +package org.springframework.security.config; + +@FunctionalInterface +public interface Customizer { + void customize(T t); +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java new file mode 100644 index 000000000000..6ef43f44d94c --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java @@ -0,0 +1,4 @@ +package org.springframework.security.config.annotation; + +public abstract class AbstractConfiguredSecurityBuilder> + extends AbstractSecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java new file mode 100644 index 000000000000..c9ee05b5c788 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/AbstractSecurityBuilder.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public abstract class AbstractSecurityBuilder implements SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java new file mode 100644 index 000000000000..0ec0cfc30ccf --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityBuilder.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public interface SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java new file mode 100644 index 000000000000..bde989db998d --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurer.java @@ -0,0 +1,3 @@ +package org.springframework.security.config.annotation; + +public interface SecurityConfigurer> {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java new file mode 100644 index 000000000000..f44385219bdd --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java @@ -0,0 +1,4 @@ +package org.springframework.security.config.annotation; + +public abstract class SecurityConfigurerAdapter> + implements SecurityConfigurer {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java new file mode 100644 index 000000000000..70c3fb15b8fd --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java @@ -0,0 +1,13 @@ +package org.springframework.security.config.annotation.web; + +import org.springframework.security.web.util.matcher.RequestMatcher; + +public abstract class AbstractRequestMatcherRegistry { + public C anyRequest() { + return null; + } + + public C requestMatchers(RequestMatcher... requestMatchers) { + return null; + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java new file mode 100644 index 000000000000..d69f989a1ed3 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java @@ -0,0 +1,7 @@ +package org.springframework.security.config.annotation.web; + +import org.springframework.security.config.annotation.SecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; + +public interface HttpSecurityBuilder> extends + SecurityBuilder {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java new file mode 100644 index 000000000000..7e4f1dceed44 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -0,0 +1,43 @@ +package org.springframework.security.config.annotation.web.builders; + +import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder; +import org.springframework.security.config.annotation.SecurityBuilder; +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; +import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; + +public final class HttpSecurity extends AbstractConfiguredSecurityBuilder + implements SecurityBuilder, HttpSecurityBuilder { + + public HttpSecurity requestMatcher(RequestMatcher requestMatcher) { + return this; + } + + public HttpSecurity authorizeRequests( + Customizer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) + throws Exception { + return this; + } + + public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests() + throws Exception { + return null; + } + + public HttpSecurity requestMatchers(Customizer requestMatcherCustomizer) { + return this; + } + + public RequestMatcherConfigurer requestMatchers() { + return null; + } + + public final class MvcMatchersRequestMatcherConfigurer extends RequestMatcherConfigurer { + } + + public class RequestMatcherConfigurer extends AbstractRequestMatcherRegistry { + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java new file mode 100644 index 000000000000..b6e75cafadbf --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractConfigAttributeRequestMatcherRegistry.java @@ -0,0 +1,6 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; + +public abstract class AbstractConfigAttributeRequestMatcherRegistry extends + AbstractRequestMatcherRegistry {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java new file mode 100644 index 000000000000..7a1b56d5f3fc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractHttpConfigurer.java @@ -0,0 +1,8 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.SecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; +import org.springframework.security.web.DefaultSecurityFilterChain; + +public abstract class AbstractHttpConfigurer, B extends HttpSecurityBuilder> + extends SecurityConfigurerAdapter {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java new file mode 100644 index 000000000000..c5c56d567098 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java @@ -0,0 +1,10 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; + +abstract class AbstractInterceptUrlConfigurer, H extends HttpSecurityBuilder> + extends AbstractHttpConfigurer { + abstract class AbstractInterceptUrlRegistry, T> + extends AbstractConfigAttributeRequestMatcherRegistry { + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java new file mode 100644 index 000000000000..012997dc5024 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java @@ -0,0 +1,16 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; + +public final class ExpressionUrlAuthorizationConfigurer> + extends AbstractInterceptUrlConfigurer, H> { + public class ExpressionInterceptUrlRegistry extends + ExpressionUrlAuthorizationConfigurer.AbstractInterceptUrlRegistry { + } + + public class AuthorizedUrl { + public ExpressionInterceptUrlRegistry permitAll() { + return null; + } + } +} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java new file mode 100644 index 000000000000..fbd1ff753e69 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/DefaultSecurityFilterChain.java @@ -0,0 +1,3 @@ +package org.springframework.security.web; + +public final class DefaultSecurityFilterChain implements SecurityFilterChain {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java new file mode 100644 index 000000000000..4ecef359d1a0 --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/SecurityFilterChain.java @@ -0,0 +1,3 @@ +package org.springframework.security.web; + +public interface SecurityFilterChain {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java new file mode 100644 index 000000000000..05d7a2552dbc --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/security/web/util/matcher/RequestMatcher.java @@ -0,0 +1,3 @@ +package org.springframework.security.web.util.matcher; + +public interface RequestMatcher {} diff --git a/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java new file mode 100644 index 000000000000..16b5d13fd6ef --- /dev/null +++ b/java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/context/WebApplicationContext.java @@ -0,0 +1,5 @@ +package org.springframework.web.context; + +import org.springframework.context.ApplicationContext; + +public interface WebApplicationContext extends ApplicationContext {} From 639aa826eaeacc82500357ace7141aba26d09a8d Mon Sep 17 00:00:00 2001 From: Grzegorz Golawski Date: Mon, 27 Apr 2020 23:26:59 +0200 Subject: [PATCH 6/6] Remove qlpack.yml as these are not needed --- java/ql/src/experimental/qlpack.yml | 3 --- java/ql/test/experimental/qlpack.yml | 4 ---- .../query-tests/security/CWE-016/SpringBootActuators.qlref | 2 +- 3 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 java/ql/src/experimental/qlpack.yml delete mode 100644 java/ql/test/experimental/qlpack.yml diff --git a/java/ql/src/experimental/qlpack.yml b/java/ql/src/experimental/qlpack.yml deleted file mode 100644 index 090a3e8359bc..000000000000 --- a/java/ql/src/experimental/qlpack.yml +++ /dev/null @@ -1,3 +0,0 @@ -name: codeql-java-experimental -version: 0.0.0 -libraryPathDependencies: codeql-java diff --git a/java/ql/test/experimental/qlpack.yml b/java/ql/test/experimental/qlpack.yml deleted file mode 100644 index 4b7a7635a6c7..000000000000 --- a/java/ql/test/experimental/qlpack.yml +++ /dev/null @@ -1,4 +0,0 @@ -name: codeql-java-experimental-tests -version: 0.0.0 -libraryPathDependencies: codeql-java-experimental -extractor: java diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref index abd5f2a75991..ec49ecd718c2 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref @@ -1 +1 @@ -Security/CWE/CWE-016/SpringBootActuators.ql +experimental/Security/CWE/CWE-016/SpringBootActuators.ql