CodeQL query to detect open Spring Boot actuator endpoints

[ggolawski]

This PR adds a query to detect open Spring Boot actuator endpoints. It flags custom Spring Security configurations that allow unauthenticated access to an actuator endpoint, like this one:

@Configuration(proxyBeanMethods = false)
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
    http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
        requests.anyRequest().permitAll());
  }
}

Unauthenticated Spring Boot actuators may leak sensitive information or even lead to remote code execution: https://www.veracode.com/blog/research/exploiting-spring-boot-actuators, https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database.

Test cases are also added, but without the .expected file.

[aschackmull]

Apologies for the delay in reviewing this PR. We think this is a useful contribution but it will likely require a number of changes before we can accept it into our standard query set.

In order to streamline our review process going forward, we are now accepting experimental contributions. If you'd like to move this query into the experimental directory as per those guidelines, then we'll be able to proceed more quickly with this PR.

Otherwise the query looks mostly good, although I'd like to see at least one result on some project to verify the applicability of the query. As for the documentation, it is claimed that this can "lead to information disclosure or even to remote code execution" - it would be nice to include some references or explanation to document how this happens.

[aschackmull]

We tried running this across all of lgtm.com https://lgtm.com/query/483327956475899158/ and got zero results.

[ggolawski]

I've moved the query to experimental and added the reference to an article that describes how to exploit this to get RCE (https://www.veracode.com/blog/research/exploiting-spring-boot-actuators).

When you search for EndpointRequest.toAnyEndpoint() in GitHub and exclude test classes, you'll get 2K results (https://github.com/search?l=Java&p=36&q=EndpointRequest.toAnyEndpoint%28%29+-filename%3A%2ATests.java&type=Code), but indeed mainly in demos and samples. I was pretty sure that this kind of misconfiguration is much more common. Anyway I think that I could find some 'real' projects (I'm not sure about this, so please verify):

• https://github.com/arianthox/CoreEngine (https://github.com/arianthox/CoreEngine/blob/3f9cb6552b4559ca1fb1cb15f6468aabaef94922/src/main/java/com/arianthox/predictor/config/SecurityConfig.java)
• https://github.com/davidwadden/conductor-workers (https://github.com/davidwadden/conductor-workers/blob/b49809908a02229c8bafbb3ba5f08422f80a8c9f/workers-app/src/main/java/io/pivotal/conductor/worker/app/WebSecurityConfig.java)
• https://github.com/hoffipublic/minimal_microservices (https://github.com/hoffipublic/minimal_microservices/blob/6e8f7392566b305178ff89cc78cc24c0a7ff41d9/microservice/src/main/java/com/hoffi/minimal/microservices/microservice/bootconfigs/ActuatorConfig.java)

These projects are not available on LGTM, but the actuators are exposed in the same as in my test code, so my query should detect these issues.

[aschackmull]

Thank you very much for those references. This definitely helps our evaluation.

[ggolawski]

Thanks for the suggestion. I've committed the change.
I've also added stubs, qlpack.yml and expected results, so the test for the query is runnable via codeql test run.

Please verify if everything is fine, especially qlpack.yml files - I had to add them in src/experimental and test/experimental.

[ggolawski]

I've removed qlpack.yml files - I've realized that they're not needed.

[aschackmull]

Thanks a lot for adding the working test. This looks ready to merge.

[pwntester]

@ggolawski this clause seems to be causing many FPs where there are no evidences that Spring Actuators are being used.

See results here https://lgtm.com/query/4456298315122374638/

If EndpointRequest is not used, we need a different way to know that Actuators are indeed enabled.

Having said that, those results may be of interest for a different query in the line of https://vulncat.fortify.com/en/weakness?q=spring%20security%20misconfiguration

Also, for lines 91 and 93 there are some FPs in the form of:

http.authorizeRequests().requestMatchers(EndpointRequest.to("info", "health")).permitAll();

which could be solved by checking that TypeEndpointRequestMatcher matches only EndpointRequestMatcher returned by toAnyEndpoint() or by to() if arguments contains an edpoint other than health and info which are of no interest and public

[ggolawski]

Thanks for spotting this. My intention was to raise the flag only if EndpointRequest.toAnyEndpoint() is being used. I'll check what's wrong and correct this query.

[ggolawski]

@pwntester I fixed these FPs in #3506. Please check it.

[pwntester]

Awesome, thanks!

[iamvolvo]

Hi there, have you considered promoting this out of experimental?

Recent news suggest this is something companies sometimes get wrong and should be concerned with. See:

• https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027
• https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen#l=eng&t=1344