Skip to content

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Java: Promote Insecure Spring Boot Actuator Configuration query from experimental #20006

wants to merge 11 commits into from
+501 −140

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Jul 9, 2025

DRAFT

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2025

QHelp previews:

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp

Insecure Spring Boot Actuator Configuration

Spring Boot is a popular framework that facilitates the development of stand-alone applications and micro services. Spring Boot Actuator helps to expose production-ready support features against Spring Boot applications.

Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even remote code execution vulnerability.

Rather than programmatically permitting endpoint requests or enforcing access control, frequently developers simply leave management endpoints publicly accessible in the application configuration file application.properties without enforcing access control through Spring Security.

Recommendation

Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce security checks on management endpoints using Spring Security. Otherwise accessing management endpoints on a different HTTP port other than the port that the web application is listening on also helps to improve the security.

Example

The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, security is enforced and only endpoints requiring exposure are exposed.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>spring-boot-actuator-app</groupId>
    <artifactId>spring-boot-actuator-app</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.8.RELEASE</version>
        <relativePath/>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-test</artifactId>
        </dependency>
    </dependencies>

</project>

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>spring-boot-actuator-app</groupId>
    <artifactId>spring-boot-actuator-app</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.8.RELEASE</version>
        <relativePath/>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
        </dependency>

        <!-- BAD: No Spring Security enabled -->
        <!-- dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency -->

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-test</artifactId>
        </dependency>
    </dependencies>

</project>

#management.endpoints.web.base-path=/admin


#### BAD: All management endpoints are accessible ####
# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default

# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
management.security.enabled=false

# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
management.endpoints.web.exposure.include=*


#### GOOD: All management endpoints have access control ####
# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
management.security.enabled=true

# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
management.security.enabled=true

# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
management.endpoints.web.exposure.include=beans,info,health

References

@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 536a312 to 63a1065 Compare July 14, 2025 16:00
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 63a1065 to d8bbc2b Compare July 14, 2025 17:19
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from d8bbc2b to cde1939 Compare July 15, 2025 14:19
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 15, 2025
View reviewed changes
java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
}

/** Class of Spring Boot dependencies. */

Check warning

Code scanning / CodeQL

Class QLDoc style. Warning

The QLDoc for a class should start with 'A', 'An', or 'The'.
Jami Cogswell added 3 commits July 15, 2025 21:19
Java: split tests by versions
a7f57e6 
splitting is required to properly test each scenario
Java: fix test case for version 1.4
4eb4067 
Need the existence of an ApplicationProperties File, not an ApplicationProperties ConfigPair
Java: add overlay annotations
4f0cdad
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from c0680d1 to 9ac212d Compare July 16, 2025 01:57
@jcogs33 jcogs33 force-pushed the jcogs33/java/insecure-spring-actuator-config-promotion branch from 9ac212d to 8dd8c17 Compare July 16, 2025 19:43
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 16, 2025
View reviewed changes
java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql
Comment on lines +1 to +25
/**
* @name Insecure Spring Boot Actuator Configuration
* @description Exposed Spring Boot Actuator through configuration files without declarative or procedural
* security enforcement leads to information leak or even remote code execution.
* @kind problem
* @problem.severity error
* @precision high
* @id java/insecure-spring-actuator-config
* @tags security
* experimental
* external/cwe/cwe-016
*/

import java
import semmle.code.xml.MavenPom
import semmle.code.java.security.SpringBootActuatorsConfigQuery

from SpringBootPom pom, Dependency d, ApplicationPropertiesOption apOption
where
hasConfidentialEndPointExposed(pom, apOption) and
d = pom.getADependency() and
d.getArtifact().getValue() = "spring-boot-starter-actuator"
select d,
"Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" +
pom.getParentElement().getVersionString() + ").", apOption, "configuration"

Check warning

Code scanning / CodeQL

Missing security metadata Warning

This query file is missing a @security-severity tag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jcogs33