Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Promote Spring Boot Actuators query from experimental #18793

Open
wants to merge 13 commits into
base: main
Choose a base branch
from

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Feb 16, 2025

This PR promotes java/spring-boot-exposed-actuators from experimental (original PRs: #2901 and #3506).

Changes from the experimental query:

  • Updated the query to handle HttpSecurity.securityMatcher(s), HttpSecurity.authorizeHttpRequests, and AuthorizeHttpRequestsConfigurer, which were added in more recent Spring versions.
    • As a result, the springframework-5.3.8 stubs directory should technically be renamed to springframework-5.8.x. I'll do that in follow-up PR to avoid a large number of renamed stub files and updated options files on this PR.
  • Placed the query under CWE-200 instead of CWE-016. CWE-016 is a category, and my understanding from our metadata style guide is that we should use CWEs that are a base/class weakness, not a category. Let me know if you disagree.

Copy link
Contributor

github-actions bot commented Feb 16, 2025

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp

Exposed Spring Boot actuators

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. Actuators are secured by default when using Spring Security without a custom configuration. If you wish to define a custom security configuration, consider only allowing users with certain roles access to the endpoints.

Example

In the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

In the second example, only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints.

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
        return http.build();
    }

}

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
        return http.build();
    }

}

References

  • Spring Boot Reference Documentation: Endpoints.
  • Common Weakness Enumeration: CWE-200.

@jcogs33 jcogs33 force-pushed the jcogs33/java/spring-boot-actuators-promo branch from 9f3980e to c2e859c Compare February 24, 2025 23:35
@jcogs33 jcogs33 changed the title [DRAFT] Java: Promote Spring Boot Actuators query from experimental Java: Promote Spring Boot Actuators query from experimental Feb 25, 2025
@jcogs33 jcogs33 marked this pull request as ready for review February 25, 2025 13:12
@jcogs33 jcogs33 requested a review from a team as a code owner February 25, 2025 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant