java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
178,849
Download Count*

Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').

Run Locally

Run in CI

Defintion

rules:
  - id: unrestricted-request-mapping
    patterns:
      - pattern-inside: |
          @RequestMapping(...)
          $RETURNTYPE $METHOD(...) { ... }
      - pattern-not-inside: |
          @RequestMapping(..., method = $X, ...)
          $RETURNTYPE $METHOD(...) { ... }
      - pattern: |
          RequestMapping
    message: Detected a method annotated with 'RequestMapping' that does not specify
      the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or
      OPTIONS, and by default all HTTP methods are allowed when the HTTP method
      is not explicitly specified. This means that a method that performs state
      changes could be vulnerable to CSRF attacks. To mitigate, add the 'method'
      field and specify the HTTP method (such as 'RequestMethod.POST').
    severity: WARNING
    metadata:
      cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A06:2017 - Security Misconfiguration
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
      references:
        - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
      category: security
      technology:
        - spring
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java

Examples

unrestricted-request-mapping.java

// cf. https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING

@Controller
public class Controller {

    // ruleid: unrestricted-request-mapping
    @RequestMapping("/path")
    public void writeData() {
        // State-changing operations performed within this method.
    }

    // ruleid: unrestricted-request-mapping
    @RequestMapping(value = "/path")
    public void writeData2() {
        // State-changing operations performed within this method.
    }

    /**
     * For methods without side-effects use either
     * RequestMethod.GET, RequestMethod.HEAD, RequestMethod.TRACE, or RequestMethod.OPTIONS.
     */
    // ok: unrestricted-request-mapping
    @RequestMapping(value = "/path", method = RequestMethod.GET)
    public String readData() {
        // No state-changing operations performed within this method.
        return "";
    }

    /**
     * For state-changing methods use either
     * RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE, or RequestMethod.PATCH.
     */
    // ok: unrestricted-request-mapping
    @RequestMapping(value = "/path", method = RequestMethod.POST)
    public void writeData3() {
        // State-changing operations performed within this method.
    }
}