diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index 3290e0d84b0e..afa6cebba311 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -27,6 +27,7 @@ ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected index f4317f8e2a5c..f5470c463c30 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected @@ -143,6 +143,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected index 209777cf4d98..a3ebc029d287 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected @@ -46,6 +46,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected index 1f58e51ad800..304c03873234 100644 --- a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected +++ b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected @@ -196,7 +196,6 @@ ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql ql/java/ql/src/definitions.ql -ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql diff --git a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll index 0c69f45c56fa..1655ed2d6484 100644 --- a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll +++ b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll @@ -70,7 +70,12 @@ class ConfigValue extends @configValue, ConfigLocatable { override string toString() { result = this.getValue() } } +/** A `.properties` file. */ +class PropertiesFile extends File { + PropertiesFile() { this.getExtension() = "properties" } +} + /** A Java property is a name-value pair in a `.properties` file. */ class JavaProperty extends ConfigPair { - JavaProperty() { this.getFile().getExtension() = "properties" } + JavaProperty() { this.getFile() instanceof PropertiesFile } } diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll new file mode 100644 index 000000000000..163cd46d5d86 --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -0,0 +1,128 @@ +/** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */ +overlay[local?] +module; + +import java +private import semmle.code.configfiles.ConfigFiles +private import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +private class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** A `Pom` with a Spring Boot parent node. */ +private class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Security module is used in the project. */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** A dependency with artifactId `spring-boot-starter-actuator`. */ +class SpringBootStarterActuatorDependency extends Dependency { + SpringBootStarterActuatorDependency() { + this.getArtifact().getValue() = "spring-boot-starter-actuator" + } +} + +/** The Spring Boot configuration property `management.security.enabled`. */ +private class ManagementSecurityEnabledProperty extends JavaProperty { + ManagementSecurityEnabledProperty() { + this.getNameElement().getName() = "management.security.enabled" + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } + + /** Holds if `management.security.enabled` is set to `false`. */ + predicate hasSecurityDisabled() { this.getValue() = "false" } +} + +/** + * The Spring Boot configuration property `management.endpoints.web.exposure.include` + * or `management.endpoints.web.expose`. + */ +private class ManagementEndpointsExposeProperty extends JavaProperty { + ManagementEndpointsExposeProperty() { + this.getNameElement().getName() = "management.endpoints.web." + ["exposure.include", "expose"] + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } +} + +private newtype TOption = + TNone() or + TSome(JavaProperty jp) + +/** + * An option type that is either a singleton `None` or a `Some` wrapping + * the `JavaProperty` type. + */ +class JavaPropertyOption extends TOption { + /** Gets a textual representation of this element. */ + string toString() { + this = TNone() and result = "(none)" + or + result = this.asSome().toString() + } + + /** Gets the location of this element. */ + Location getLocation() { result = this.asSome().getLocation() } + + /** Gets the wrapped element, if any. */ + JavaProperty asSome() { this = TSome(result) } + + /** Holds if this option is the singleton `None`. */ + predicate isNone() { this = TNone() } +} + +/** + * Holds if `JavaPropertyOption` jpOption of a repository using `SpringBootStarterActuatorDependency` + * d exposes sensitive Spring Boot Actuator endpoints. + */ +predicate exposesSensitiveEndpoint( + SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +) { + exists(PropertiesFile propFile, SpringBootPom pom | + d = pom.getADependency() and + not pom.isSpringBootSecurityUsed() and + propFile + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | + springBootVersion = pom.getParentElement().getVersionString() + | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityEnabledProperty ep | ep.getFile() = propFile) and + jpOption.isNone() + or + springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5 + exists(ManagementSecurityEnabledProperty ep | + ep.hasSecurityDisabled() and ep.getFile() = propFile and ep = jpOption.asSome() + ) + or + springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x + exists(ManagementEndpointsExposeProperty ep | + ep.getFile() = propFile and + ep = jpOption.asSome() and + ( + // all endpoints are exposed + ep.getValue() = "*" + or + // version 2.x: exposes health and info only by default + springBootVersion.matches("2.%") and + not ep.getValue() = ["health", "info"] + or + // version 3.x: exposes health only by default + springBootVersion.matches("3.%") and + not ep.getValue() = "health" + ) + ) + ) + ) +} diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp new file mode 100644 index 000000000000..d3e79e88ed75 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp @@ -0,0 +1,39 @@ + + + +

Spring Boot includes features called actuators that let you monitor and interact with your web + application. Exposing unprotected actuator endpoints through configuration files can lead to + information disclosure or even to remote code execution.

+ + + +

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, + and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring + Security, which secures actuators by default, or define a custom security configuration. +

+ + + +

The following examples show application.properties configurations that expose sensitive + actuator endpoints.

+ + +

The below configurations ensure that sensitive actuator endpoints are not exposed.

+ + +

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security + dependency in your Maven pom.xml file.

+ + + + +
  • + Spring Boot Reference Documentation: + Endpoints. +
    • +
  • + HackerOne Report: + Spring Actuator endpoints publicly available, leading to account takeover +
    • +     +     diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql new file mode 100644 index 000000000000..562298257a7d --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql @@ -0,0 +1,20 @@ +/** + * @name Exposed Spring Boot actuators in configuration file + * @description Exposing Spring Boot actuators through configuration files may lead to information leak from + * the internal application, or even to remote code execution. + * @kind problem + * @problem.severity error + * @security-severity 6.5 + * @precision high + * @id java/spring-boot-exposed-actuators-config + * @tags security + * external/cwe/cwe-200 + */ + +import java +import semmle.code.xml.MavenPom +import semmle.code.java.security.SpringBootActuatorsConfigQuery + +from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +where exposesSensitiveEndpoint(d, jpOption) +select d, "Insecure Spring Boot actuator $@ exposes sensitive endpoints.", jpOption, "configuration" diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties new file mode 100644 index 000000000000..ccf1cb678813 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties @@ -0,0 +1,10 @@ +# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default + +# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints +management.security.enabled=false + +# vulnerable configuration (Spring Boot 2.x): exposes all endpoints +management.endpoints.web.exposure.include=* + +# vulnerable configuration (Spring Boot 3.x): exposes all endpoints +management.endpoints.web.exposure.include=* diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties new file mode 100644 index 000000000000..1af2b7b0228a --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties @@ -0,0 +1,11 @@ +# safe configuration (Spring Boot 1.0 - 1.4) +management.security.enabled=true + +# safe configuration (Spring Boot 1.5+) +management.security.enabled=true + +# safe configuration (Spring Boot 2.x): exposes health and info only by default +management.endpoints.web.exposure.include=health,info + +# safe configuration (Spring Boot 3.x): exposes health only by default +management.endpoints.web.exposure.include=health diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml new file mode 100644 index 000000000000..32fad44591e5 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml @@ -0,0 +1,12 @@ +... + + org.springframework.boot + spring-boot-starter-actuator + + + + + org.springframework.boot + spring-boot-starter-security + +... diff --git a/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md new file mode 100644 index 000000000000..ec53c015fff0 --- /dev/null +++ b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* The query `java/insecure-spring-actuator-config` has been promoted from experimental to the main query pack as `java/spring-boot-exposed-actuators-config`. Its results will now appear by default. This query was originally submitted as an experimental query [by @luchua-bc](https://github.com/github/codeql/pull/5384). diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp deleted file mode 100644 index e201156728a4..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp +++ /dev/null @@ -1,47 +0,0 @@ - - - -

    Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

    - -

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

    - -

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

    -     - - -

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

    -     - - -

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

    - - - -     - - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators -
    • -
  • - HackerOne Report: - Spring Actuator endpoints publicly available, leading to account takeover -
    • -     -     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql deleted file mode 100644 index b21aa82e8baf..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ /dev/null @@ -1,121 +0,0 @@ -/** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id java/insecure-spring-actuator-config - * @tags security - * experimental - * external/cwe/cwe-016 - */ - -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - -import java -import semmle.code.configfiles.ConfigFiles -import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} - -deprecated query predicate problems(Dependency d, string message) { - exists(SpringBootPom pom | - hasConfidentialEndPointExposed(pom, _) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" - ) and - message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties deleted file mode 100644 index 4f5defdd948e..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected deleted file mode 100644 index 486302939857..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected +++ /dev/null @@ -1 +0,0 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index 9cd12d5e4fb1..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java deleted file mode 100644 index a3ff69c1b817..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties deleted file mode 100644 index 797906a3ca3b..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected new file mode 100644 index 000000000000..8845d970df2a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected @@ -0,0 +1,8 @@ +| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | file://:0:0:0:0 | (none) | configuration | +| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | +| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref new file mode 100644 index 000000000000..eec8ba18ae18 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties new file mode 100644 index 000000000000..a41bbc9fdca3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties @@ -0,0 +1 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml similarity index 93% rename from java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml index 9dd5c9c188b4..83c7d2685f37 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml @@ -17,7 +17,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.8.RELEASE + 1.2.6.RELEASE @@ -29,18 +29,15 @@ org.springframework.boot spring-boot-starter-actuator - + org.springframework.boot spring-boot-devtools - - - org.springframework.boot spring-boot-test diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties new file mode 100644 index 000000000000..621b859214cb --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml new file mode 100644 index 000000000000..83c7d2685f37 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties new file mode 100644 index 000000000000..6cadc4c756d1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml similarity index 94% rename from java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml index 89f577f21e59..452d4b69c354 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml @@ -17,7 +17,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.8.RELEASE + 1.2.6.RELEASE @@ -34,13 +34,10 @@ org.springframework.boot spring-boot-devtools - - org.springframework.boot spring-boot-starter-security - org.springframework.boot spring-boot-test diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties new file mode 100644 index 000000000000..f1e8f6587d05 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml new file mode 100644 index 000000000000..aa1a4bcaf056 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties new file mode 100644 index 000000000000..bec45a22b82d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml new file mode 100644 index 000000000000..39b46bef7e48 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties new file mode 100644 index 000000000000..338b1fb3a9c1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2.0.0.RC1): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.expose=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties new file mode 100644 index 000000000000..bbc1915b05e1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties new file mode 100644 index 000000000000..1f29407c1923 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to also expose beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml new file mode 100644 index 000000000000..c22f08d7e7ec --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties new file mode 100644 index 000000000000..f7e0c1b43ac3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml new file mode 100644 index 000000000000..e65ebf04701a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties new file mode 100644 index 000000000000..c5570065bae5 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml similarity index 95% rename from java/ql/test/experimental/query-tests/security/CWE-016/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml index a9d5fa920c84..12dab1d9421a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml @@ -17,7 +17,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.8.RELEASE + 3.3.5 @@ -29,7 +29,7 @@ org.springframework.boot spring-boot-starter-actuator - + org.springframework.boot spring-boot-devtools diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties new file mode 100644 index 000000000000..27d08eac74f6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to also expose info and beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml new file mode 100644 index 000000000000..12dab1d9421a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties new file mode 100644 index 000000000000..8ba56eadc351 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 3+): exposes health only by default. +management.endpoints.web.exposure.include=health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml new file mode 100644 index 000000000000..a8103e681e4c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options similarity index 62% rename from java/ql/test/experimental/query-tests/security/CWE-016/options rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options index 2ce7a4743cd3..ab29fd4e46fa 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-016/options +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.8.x