Skip to content

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Aug 26, 2025
Merged

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

merged 23 commits into from
Aug 26, 2025

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Jul 9, 2025
edited
Loading

Description

This PR promotes java/insecure-spring-actuator-config from experimental as java/spring-boot-exposed-actuators-config (original PR: #5384).

Consideration

Main changes from the experimental query:

  • Instead of requiring an application.properties file, I've used the pre-existing JavaProperty class which only looks for the .properties extension. Spring allows changing the the applications.properties name, so this update reduces FNs.
  • Added support for version 3.x.
  • Added support for management.endpoint.web.expose. This property is not particularly common, but was available in at least one version 2.x, so I've added it since it was easy to add.
  • Placed the query under CWE-200 instead of CWE-016. CWE-016 is a category, and my understanding from our metadata style guide is that we should use CWEs that are a base/class weakness, not a category. (I did the same for Java: Promote Spring Boot Actuators query from experimental #18793.)
  • Also see inline comments.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2025
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp

Exposed Spring Boot actuators in configuration file

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.

Example

The following examples show application.properties configurations that expose sensitive actuator endpoints.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default

# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
management.security.enabled=false

# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
management.endpoints.web.exposure.include=*

# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
management.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4)
management.security.enabled=true

# safe configuration (Spring Boot 1.5+)
management.security.enabled=true

# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info

# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...

References

@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch 3 times, most recently from d8bbc2b to cde1939 Compare July 15, 2025 14:19
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c0680d1 to 9ac212d Compare July 16, 2025 01:57
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 9ac212d to 8dd8c17 Compare July 16, 2025 19:43
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 8dd8c17 to c31fb17 Compare July 17, 2025 21:55
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c31fb17 to 6a6b794 Compare July 17, 2025 22:29
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 6a6b794 to 56f667d Compare July 17, 2025 23:23
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 56f667d to 7250265 Compare July 18, 2025 21:50
@jcogs33 jcogs33 marked this pull request as ready for review July 19, 2025 19:47
@Copilot Copilot AI review requested due to automatic review settings July 19, 2025 19:47
@jcogs33 jcogs33 requested a review from a team as a code owner July 19, 2025 19:47
Copilot
Copilot AI reviewed Jul 19, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR promotes the experimental query java/insecure-spring-actuator-config to the main query pack as java/spring-boot-exposed-actuators-config, enabling it to appear in default CodeQL results.

Key changes include:

  • Adding support for Spring Boot version 3.x
  • Extending configuration property detection beyond application.properties to any .properties file
  • Refactoring from experimental CWE-016 categorization to production CWE-200

Reviewed Changes

Copilot reviewed 46 out of 46 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql New main query implementing the promoted actuator configuration detection
java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll Core logic library for detecting insecure Spring Boot actuator configurations
java/ql/lib/semmle/code/configfiles/ConfigFiles.qll Added PropertiesFile class to support broader .properties file detection
java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/ Comprehensive test suite covering Spring Boot versions 1.x through 3.x
java/ql/src/experimental/Security/CWE/CWE-016/ Removal of experimental query files
java/ql/integration-tests/java/query-suite/*.expected Updated query suite expectations to include the new query

owen-mc
owen-mc requested changes Aug 22, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very thorough. One minor request in the change note.

@jcogs33 jcogs33 added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Aug 24, 2025
sophietheking
sophietheking reviewed Aug 25, 2025
View reviewed changes
Copy link
Contributor

@sophietheking sophietheking left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from a Docs POV. 👍

@jcogs33 jcogs33 merged commit b7c1e1e into github:main Aug 26, 2025
21 checks passed
michaelnebel
michaelnebel reviewed Aug 27, 2025
View reviewed changes
java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql
* @problem.severity error
* @security-severity 6.5
* @precision high
* @id java/spring-boot-exposed-actuators-config
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a @previous-id java/insecure-spring-actuator-config tag as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we are using @previous-id when promoting experimental queries. Only when porting queries from a different query pack.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we are using @previous-id when promoting experimental queries. Only when porting queries from a different query pack.

This was my understanding as well.

@michaelnebel michaelnebel mentioned this pull request Aug 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

@sophietheking sophietheking sophietheking left review comments

@owen-mc owen-mc owen-mc approved these changes

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
documentation Java ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jcogs33 @michaelnebel @sophietheking @owen-mc