java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
178,849
Download Count*
LGPL Commons Clause
License

Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unrestricted-request-mapping
    patterns:
      - pattern-inside: |
          @RequestMapping(...)
          $RETURNTYPE $METHOD(...) { ... }
      - pattern-not-inside: |
          @RequestMapping(..., method = $X, ...)
          $RETURNTYPE $METHOD(...) { ... }
      - pattern: |
          RequestMapping
    message: Detected a method annotated with 'RequestMapping' that does not specify
      the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or
      OPTIONS, and by default all HTTP methods are allowed when the HTTP method
      is not explicitly specified. This means that a method that performs state
      changes could be vulnerable to CSRF attacks. To mitigate, add the 'method'
      field and specify the HTTP method (such as 'RequestMethod.POST').
    severity: WARNING
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
      references:
        - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
      category: security
      technology:
        - spring
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java

Examples

unrestricted-request-mapping.java

// cf. https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING

@Controller
public class Controller {

    // ruleid: unrestricted-request-mapping
    @RequestMapping("/path")
    public void writeData() {
        // State-changing operations performed within this method.
    }

    // ruleid: unrestricted-request-mapping
    @RequestMapping(value = "/path")
    public void writeData2() {
        // State-changing operations performed within this method.
    }

    /**
     * For methods without side-effects use either
     * RequestMethod.GET, RequestMethod.HEAD, RequestMethod.TRACE, or RequestMethod.OPTIONS.
     */
    // ok: unrestricted-request-mapping
    @RequestMapping(value = "/path", method = RequestMethod.GET)
    public String readData() {
        // No state-changing operations performed within this method.
        return "";
    }

    /**
     * For state-changing methods use either
     * RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE, or RequestMethod.PATCH.
     */
    // ok: unrestricted-request-mapping
    @RequestMapping(value = "/path", method = RequestMethod.POST)
    public void writeData3() {
        // State-changing operations performed within this method.
    }
}