Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

[jcogs33]

Description

This PR promotes java/insecure-spring-actuator-config from experimental as java/spring-boot-exposed-actuators-config (original PR: #5384).

Consideration

Main changes from the experimental query:

• Instead of requiring an application.properties file, I've used the pre-existing JavaProperty class which only looks for the .properties extension. Spring allows changing the the applications.properties name, so this update reduces FNs.
• Added support for version 3.x.
• Added support for management.endpoint.web.expose. This property is not particularly common, but was available in at least one version 2.x, so I've added it since it was easy to add.
• Placed the query under CWE-200 instead of CWE-016. CWE-016 is a category, and my understanding from our metadata style guide is that we should use CWEs that are a base/class weakness, not a category. (I did the same for Java: Promote Spring Boot Actuators query from experimental #18793.)
• Also see inline comments.

[github-actions]

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp

Exposed Spring Boot actuators in configuration file

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints through configuration files can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring Security, which secures actuators by default, or define a custom security configuration.

Example

The following examples show application.properties configurations that expose sensitive actuator endpoints.

# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default

# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
management.security.enabled=false

# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
management.endpoints.web.exposure.include=*

# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
management.endpoints.web.exposure.include=*

The below configurations ensure that sensitive actuator endpoints are not exposed.

# safe configuration (Spring Boot 1.0 - 1.4)
management.security.enabled=true

# safe configuration (Spring Boot 1.5+)
management.security.enabled=true

# safe configuration (Spring Boot 2.x): exposes health and info only by default
management.endpoints.web.exposure.include=health,info

# safe configuration (Spring Boot 3.x): exposes health only by default
management.endpoints.web.exposure.include=health

To use Spring Security, which secures actuators by default, add the spring-boot-starter-security dependency in your Maven pom.xml file.

...
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <!-- GOOD: Enable Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
...

References

• Spring Boot Reference Documentation: Endpoints.
• HackerOne Report: Spring Actuator endpoints publicly available, leading to account takeover
• Common Weakness Enumeration: CWE-200.

[jcogs33]

I'm conflicted about whether the alert location should be on the dependency in the pom file versus on the property in the configuration file. If the developer wants to fix the issue by adding Spring Security to the classpath, then they need to edit the pom file, so in that case the alert in the pom file makes sense, but if the developer wants to instead edit the configuration in the .properties file, then it would make more sense to have the alert there. I've left the alert location in the pom file for now with the config file as a related location, but let me know if you think I should switch them. (Note that switching them would require selecting the properties file as a whole for the 1.0-1.4 case where the necessary property does not exist).

[jcogs33]

I've changed this from checking for a specific list of endpoints to checking for not health/info to align with what the Spring documentation considers to be potentially sensitive endpoints. Let me know if you think this errs too much towards FPs, and I can change it back. This change only added 7 results in MRVA.

[Copilot]

Pull Request Overview

This PR promotes the experimental query java/insecure-spring-actuator-config to the main query pack as java/spring-boot-exposed-actuators-config, enabling it to appear in default CodeQL results.

Key changes include:

• Adding support for Spring Boot version 3.x
• Extending configuration property detection beyond application.properties to any .properties file
• Refactoring from experimental CWE-016 categorization to production CWE-200

Reviewed Changes

Copilot reviewed 46 out of 46 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql	New main query implementing the promoted actuator configuration detection
java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll	Core logic library for detecting insecure Spring Boot actuator configurations
java/ql/lib/semmle/code/configfiles/ConfigFiles.qll	Added PropertiesFile class to support broader .properties file detection
java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/	Comprehensive test suite covering Spring Boot versions 1.x through 3.x
java/ql/src/experimental/Security/CWE/CWE-016/	Removal of experimental query files
java/ql/integration-tests/java/query-suite/*.expected	Updated query suite expectations to include the new query