Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT] Java: Promote Spring Boot Actuators query from experimental #18793

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

[DRAFT] Java: Promote Spring Boot Actuators query from experimental #18793

wants to merge 11 commits into from

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Feb 16, 2025

DRAFT

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 16, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp

Exposed Spring Boot actuators

Spring Boot includes a number of additional features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP can, however, lead to information disclosure or even to remote code execution vulnerability.

Recommendation

Since actuator endpoints may contain sensitive information, careful consideration should be given about when to expose them. You should take care to secure exposed HTTP endpoints in the same way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Security’s content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users with a certain role to access them, Spring Boot provides some convenient RequestMatcher objects that can be used in combination with Spring Security.

Example

In the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

In the second example, only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints.

@Configuration(proxyBeanMethods = false)
public class SpringBootActuators extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
        requests.anyRequest().permitAll());
  }
}

@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
        requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
    http.httpBasic();
  }
}

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jcogs33