Skip to content

Add check for disabled CSRF protection in Spring#2586

Merged
aschackmull merged 4 commits intogithub:masterfrom
ggolawski:spring_disable_csrf
Jan 27, 2020
Merged

Add check for disabled CSRF protection in Spring#2586
aschackmull merged 4 commits intogithub:masterfrom
ggolawski:spring_disable_csrf

Conversation

@ggolawski
Copy link
Contributor

@ggolawski ggolawski commented Jan 3, 2020
edited
Loading

Spring has built-in CSRF protection. However, it's possible to disable it, which most likely makes the application vulnerable to Cross-Site Request Forgery (CWE-352).

Spring CSRF protection can be disabled via Java configuration (more details here):

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) {
    http
      .csrf(csrf ->
        csrf.disable()
      );
  }
}

This PR adds a CodeQL check which finds all invocations of CsrfConfigurer.disable() method.

@ggolawski ggolawski requested review from a team and felicitymay as code owners January 3, 2020 21:02
@ghost
Copy link

ghost commented Jan 3, 2020
edited by ghost
Loading

CLA assistant check
All committers have signed the CLA.

@ggolawski ggolawski mentioned this pull request Jan 3, 2020
Closed
1 task
felicitymay
felicitymay reviewed Jan 21, 2020
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for including a help file with your query. Generally it looks good but I've made a few suggestions with the aim of simplifying the English (shorter sentence) and clarifying a few things.

@ggolawski
Add check for disabled CSRF protection in Spring
c5a9747 
Fix the help according to review comments.
@ggolawski
Copy link
Contributor Author

ggolawski commented Jan 21, 2020

Thanks for reviewing this PR. I applied your suggestions.

felicitymay
felicitymay reviewed Jan 22, 2020
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for those changes. On re-reading the qhelp file, I realized that one of my suggestions had removed the context from the start of the Recommendation section. 😞

I've made a suggestion to fix this. Apart from this issue, the text looks ready to merge.

@aschackmull
Copy link
Contributor

aschackmull commented Jan 22, 2020

Could you also run autoformat on the QL code? (That's available in the right-click menu in VSCode)

@ggolawski
Add check for disabled CSRF protection in Spring
5596944 
Fix help and correct formatting.
@ggolawski
Copy link
Contributor Author

ggolawski commented Jan 22, 2020

I corrected the help and formatted the QL code.

felicitymay
felicitymay approved these changes Jan 23, 2020
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for correcting the help 😄

@aschackmull aschackmull merged commit 816a8d1 into github:master Jan 27, 2020
@aschackmull aschackmull mentioned this pull request Jan 27, 2020
Merged
@ggolawski ggolawski deleted the spring_disable_csrf branch January 27, 2020 19:37
@yo-h yo-h added the Java label May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@felicitymay felicitymay felicitymay approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ggolawski @aschackmull @felicitymay @yo-h