codeql/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll at c2e859c756ac3e2370c359cec9051e078d53c6f2 · jcogs33/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */

import java
private import semmle.code.java.frameworks.spring.SpringSecurity
private import semmle.code.java.frameworks.spring.SpringBoot

/**
 * A call to an `HttpSecurity` matcher method with argument
 * `EndpointRequest.toAnyEndpoint()`.
 */
private class HttpSecurityMatcherCall extends MethodCall {
  HttpSecurityMatcherCall() {
    (
      this instanceof RequestMatcherCall or
      this instanceof SecurityMatcherCall
    ) and
    this.getArgument(0) instanceof ToAnyEndpointCall
  }
}

/**
 * A call to an `HttpSecurity` matchers method with lambda
 * argument `EndpointRequest.toAnyEndpoint()`.
 */
private class HttpSecurityMatchersCall extends MethodCall {
  HttpSecurityMatchersCall() {
    (
      this instanceof RequestMatchersCall or
      this instanceof SecurityMatchersCall
    ) and
    this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall
  }
}

/**
 * A call to an `AbstractRequestMatcherRegistry.requestMatchers` method with
 * argument `EndpointRequest.toAnyEndpoint()`.
 */
private class RegistryRequestMatchersCall extends MethodCall {
  RegistryRequestMatchersCall() {
    this.getMethod().hasName("requestMatchers") and
    this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and
    this.getAnArgument() instanceof ToAnyEndpointCall
  }
}

/** A call to an `HttpSecurity` method that authorizes requests. */
private class AuthorizeCall extends MethodCall {
  AuthorizeCall() {
    this instanceof AuthorizeRequestsCall or
    this instanceof AuthorizeHttpRequestsCall
  }
}

/** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */
predicate permitsSpringBootActuators(PermitAllCall permitAllCall) {
  exists(AuthorizeCall authorizeCall |
    // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...]
    authorizeCall.getQualifier() instanceof HttpSecurityMatcherCall
    or
    // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...]
    authorizeCall.getQualifier() instanceof HttpSecurityMatchersCall
  |
    // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or
    // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
    (
      permitAllCall.getQualifier() instanceof AnyRequestCall or
      permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
    )
    or
    // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
    // [...].authorizeRequests().anyRequest().permitAll()
    authorizeCall.getNumArgument() = 0 and
    exists(RegistryRequestMatchersCall registryRequestMatchersCall |
      registryRequestMatchersCall.getQualifier() = authorizeCall and
      permitAllCall.getQualifier() = registryRequestMatchersCall
    )
    or
    exists(AnyRequestCall anyRequestCall |
      anyRequestCall.getQualifier() = authorizeCall and
      permitAllCall.getQualifier() = anyRequestCall
    )
  )
  or
  exists(AuthorizeCall authorizeCall |
    // http.authorizeRequests([...]).[...]
    authorizeCall.getQualifier() instanceof VarAccess
  |
    // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll())
    authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
    permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall
    or
    // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or
    authorizeCall.getNumArgument() = 0 and
    exists(RegistryRequestMatchersCall registryRequestMatchersCall |
      registryRequestMatchersCall.getQualifier() = authorizeCall and
      permitAllCall.getQualifier() = registryRequestMatchersCall
    )
    or
    exists(Variable v, HttpSecurityMatcherCall matcherCall |
      // http.securityMatcher(EndpointRequest.toAnyEndpoint());
      // http.authorizeRequests([...].permitAll())
      v.getAnAccess() = authorizeCall.getQualifier() and
      v.getAnAccess() = matcherCall.getQualifier() and
      authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and
      permitAllCall.getQualifier() instanceof AnyRequestCall
    )
  )
}