Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request includes 2 related detectors, each in a separated commit.
SpringCsrfProtectionDisabledDetector
Recent versions of Spring Security protect by default Spring endpoints against CSRF attacks.
Since it does require some initial work from the developers on the client-side to make form submissions and/or AJAX requests work, it can be tempting to disable the CSRF protection temporarily in an initial development phase, with the risk of forgetting to re-enable it later on.
This detector detects the deactivation of Spring Security's CSRF protection via Spring JavaConfig.
It does not however detects the deactivation of CSRF protection via Spring XML config.
SpringCsrfUnrestrictedRequestMappingDetector
Although it can be customized, out of the box Spring Security doesn't protect endpoints with the HTTP request methods
GET
,HEAD
,TRACE
, andOPTIONS
against CSRF attacks.It's very easy to use
@RequestMapping
and to forget to restrict it to only the needed HTTP request methods. If this happens for a state-changing method, then this method will be vulnerable to CSRF attacks as theGET
method will be mapped.This detector detects unrestricted
@RequestMapping
, as well as unlikely suspicious cases where a user would restrict a given mapping to a mix of unprotected HTTP request methods (e.g.GET
) and protected HTTP request methods (e.g.POST
).General Remarks