Java: update java/spring-disabled-csrf-protection QHelp#18692
Java: update java/spring-disabled-csrf-protection QHelp#18692jcogs33 merged 1 commit intogithub:mainfrom
java/spring-disabled-csrf-protection QHelp#18692Conversation
|
QHelp previews: java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelpDisabled Spring CSRF protectionCross-site request forgery (CSRF) is a type of vulnerability in which an attacker is able to force a user to carry out an action that the user did not intend. The attacker tricks an authenticated user into submitting a request to the web application. Typically, this request will result in a state change on the server, such as changing the user's password. The request can be initiated when the user visits a site controlled by the attacker. If the web application relies only on cookies for authentication, or on other credentials that are automatically included in the request, then this request will appear as legitimate to the server. RecommendationWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. ExampleThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients. import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf(csrf ->
// BAD - CSRF protection shouldn't be disabled
csrf.disable()
);
}
}References
|
There was a problem hiding this comment.
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
Description
Updates the overview section of the
java/spring-disabled-csrf-protectionQHelp to align with other CSRF queries. Context: #18288 (comment)Also updates the name of the OWASP website. Context: #18288 (comment)
Autofix validation: I quickly checked the effect on autofix for a couple alerts. Autofix still successfully removes the
.disable()call, but it now also discusses handling CSRF tokens in the fix descriptions and includes code related to CSRF tokens in one of the fix suggestions. Let me know if this sounds like a reason to avoid this wording update?(Note that I purposefully did not include any explicit mention of tokens in this update, but the related Python and Ruby QHelp files do mention tokens.)