Spring CSRF: Protection Disabled & Unrestricted RequestMapping

[ptamarit]

This pull request includes 2 related detectors, each in a separated commit.

SpringCsrfProtectionDisabledDetector

Recent versions of Spring Security protect by default Spring endpoints against CSRF attacks.
Since it does require some initial work from the developers on the client-side to make form submissions and/or AJAX requests work, it can be tempting to disable the CSRF protection temporarily in an initial development phase, with the risk of forgetting to re-enable it later on.

This detector detects the deactivation of Spring Security's CSRF protection via Spring JavaConfig.
It does not however detects the deactivation of CSRF protection via Spring XML config.

SpringCsrfUnrestrictedRequestMappingDetector

Although it can be customized, out of the box Spring Security doesn't protect endpoints with the HTTP request methods GET, HEAD, TRACE, and OPTIONS against CSRF attacks.

It's very easy to use @RequestMapping and to forget to restrict it to only the needed HTTP request methods. If this happens for a state-changing method, then this method will be vulnerable to CSRF attacks as the GET method will be mapped.

This detector detects unrestricted @RequestMapping, as well as unlikely suspicious cases where a user would restrict a given mapping to a mix of unprotected HTTP request methods (e.g. GET) and protected HTTP request methods (e.g. POST).

General Remarks

• I was not really sure of where to put the new rules in findbugs.xml and messages.xml (as I didn't find any consistent logical ordering).
• I chose to use high priorities for both detectors.

[h3xstream]

Looks good ! 👍