Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT] Java: add CSRF query #18288

Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

[DRAFT] Java: add CSRF query #18288

wants to merge 20 commits into from

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Dec 16, 2024
edited
Loading

DRAFT

Pull Request checklist

All query authors

Internal query authors only

  • Changes are validated at scale (internal access required).
  • Adding a new query? Consider also adding the query to autofix.
  • Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).

@github-actions github-actions bot added the Java label Dec 16, 2024
@jcogs33 jcogs33 force-pushed the jcogs33/csrf-unprotected-request-type branch from 749e24a to e112226 Compare December 16, 2024 20:39
@jcogs33 jcogs33 force-pushed the jcogs33/csrf-unprotected-request-type branch from ff0477c to 13753dd Compare December 17, 2024 00:24
@github-actions GitHub Actions
Copy link
Contributor

QHelp previews:

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp

HTTP request type unprotected from CSRF

When you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Recommendation

When handling requests, make sure that any requests which change application state are protected from Cross-Site Request Forgery (CSRF). Some application frameworks, such as Spring, provide default CSRF protection for HTTP request types that may change application state, such as POST. Other HTTP request types, such as GET, should not be used for actions that change the state of the application, since these request types are not default-protected from CSRF by the framework.

Example

The following example shows a Spring request handler using a GET request for a state-changing action. Since a GET request does not have default CSRF protection in Spring, this type of request should not be used when modifying application state. Instead use one of Spring's default-protected request types, such as POST.

// BAD - a GET request should not be used for a state-changing action like transfer
@RequestMapping(value="transfer", method=RequestMethod.GET)
public boolean transfer(HttpServletRequest request, HttpServletResponse response){
  return sendMoney(request, response);
}
// GOOD - use a POST request for a state-changing action
@RequestMapping(value="transfer", method=RequestMethod.POST)
public boolean transfer(HttpServletRequest request, HttpServletResponse response){
  return sendMoney(request, response);
}

References

@jcogs33 jcogs33 force-pushed the jcogs33/csrf-unprotected-request-type branch from 13753dd to c217d7f Compare December 17, 2024 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jcogs33