add verified rule

yaklang · Aug 20, 2024 · b9ab9ba · b9ab9ba
1 parent b37bed3
commit b9ab9ba
Show file tree

Hide file tree

Showing 3 changed files with 301 additions and 0 deletions.
diff --git a/java-verified-rules/java-springboot-websecurity-click-hijack-checking.sf b/java-verified-rules/java-springboot-websecurity-click-hijack-checking.sf
@@ -0,0 +1,114 @@
+desc(
+    title: "Find Simple Trail of frameOptions Disabled",
+    type: vuln,
+    level: low,
+    desc: <<<TEXT
+禁用 X-Frame-Options 头部可能会使应用程序容易受到点击劫持攻击。建议启用该头部，以防止应用程序被嵌入到其他网站的iframe中。
+TEXT
+)
+
+.csrf().disable() as $vuln;
+check $vuln;
+alert $vuln;
+
+desc(
+    lang: java,
+'safefile:///safeconfig.java': <<<CONFIG
+package com.ruoyi.modules.monitor.config;
+
+import de.codecentric.boot.admin.server.config.AdminServerProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+@EnableWebSecurity
+public class WebSecurityConfigurer
+{
+    private final String adminContextPath;
+
+    public WebSecurityConfigurer(AdminServerProperties adminServerProperties)
+    {
+        this.adminContextPath = adminServerProperties.getContextPath();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception
+    {
+        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+        successHandler.setTargetUrlParameter("redirectTo");
+        successHandler.setDefaultTargetUrl(adminContextPath + "/");
+
+        return httpSecurity
+                .authorizeRequests()
+                .antMatchers(adminContextPath + "/assets/**"
+                        , adminContextPath + "/login"
+                        , adminContextPath + "/actuator/**"
+                        , adminContextPath + "/instances/**"
+                ).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .formLogin().loginPage(adminContextPath + "/login")
+                .successHandler(successHandler).and()
+                .logout().logoutUrl(adminContextPath + "/logout")
+                .and()
+                .httpBasic().and()
+                .build();
+    }
+}
+CONFIG,
+'file:///config.java': <<<CONFIG
+package com.ruoyi.modules.monitor.config;
+
+import de.codecentric.boot.admin.server.config.AdminServerProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+/**
+ * 监控权限配置
+ *
+ * @author ruoyi
+ */
+@EnableWebSecurity
+public class WebSecurityConfigurer
+{
+    private final String adminContextPath;
+
+    public WebSecurityConfigurer(AdminServerProperties adminServerProperties)
+    {
+        this.adminContextPath = adminServerProperties.getContextPath();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception
+    {
+        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+        successHandler.setTargetUrlParameter("redirectTo");
+        successHandler.setDefaultTargetUrl(adminContextPath + "/");
+
+        return httpSecurity
+                .headers().frameOptions().disable()
+                .and().authorizeRequests()
+                .antMatchers(adminContextPath + "/assets/**"
+                        , adminContextPath + "/login"
+                        , adminContextPath + "/actuator/**"
+                        , adminContextPath + "/instances/**"
+                ).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .formLogin().loginPage(adminContextPath + "/login")
+                .successHandler(successHandler).and()
+                .logout().logoutUrl(adminContextPath + "/logout")
+                .and()
+                .httpBasic().and()
+                .csrf()
+                .disable()
+                .build();
+    }
+}
+CONFIG,
+)
diff --git a/java-verified-rules/java-springfox-awared.sf b/java-verified-rules/java-springfox-awared.sf
@@ -0,0 +1,72 @@
+desc(
+    title: 'Checking [Swagger2 Configuration] in Springfox Aware',
+    type: audit,
+    level: low,
+    desc: <<<TEXT
+Springfox 是一个用于生成 Spring Boot 应用程序的 API 文档的库，主要与 Swagger 结合使用。它通过注解和配置来自动生成 API 文档，并提供一个用户友好的界面来查看和测试 API。
+TEXT
+)
+
+.api?{ <getFormalParams>?{<typeName>?{have: SwaggerProperties} } } as $config;
+check $config
+alert $config;
+
+desc(
+'file://config.java': <<<TEXT
+package com.ruoyi.common.swagger.config;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import springfox.documentation.spi.DocumentationType;
+import springfox.documentation.spi.service.contexts.SecurityContext;
+import springfox.documentation.spring.web.plugins.ApiSelectorBuilder;
+import springfox.documentation.spring.web.plugins.Docket;
+import springfox.documentation.swagger2.annotations.EnableSwagger2;
+
+@Configuration
+@EnableSwagger2
+@EnableConfigurationProperties(SwaggerProperties.class)
+@ConditionalOnProperty(name = "swagger.enabled", matchIfMissing = true)
+@Import({SwaggerBeanPostProcessor.class, SwaggerWebConfiguration.class})
+public class SwaggerAutoConfiguration
+{
+    /**
+     * 默认的排除路径，排除Spring Boot默认的错误处理路径和端点
+     */
+    private static final List<String> DEFAULT_EXCLUDE_PATH = Arrays.asList("/error", "/actuator/**");
+
+    private static final String BASE_PATH = "/**";
+
+    @Bean
+    public Docket api(SwaggerProperties swaggerProperties)
+    {
+        // base-path处理
+        if (swaggerProperties.getBasePath().isEmpty())
+        {
+            swaggerProperties.getBasePath().add(BASE_PATH);
+        }
+        // noinspection unchecked
+        List<Predicate<String>> basePath = new ArrayList<Predicate<String>>();
+        swaggerProperties.getBasePath().forEach(path -> basePath.add(PathSelectors.ant(path)));
+
+        // exclude-path处理
+        if (swaggerProperties.getExcludePath().isEmpty())
+        {
+            swaggerProperties.getExcludePath().addAll(DEFAULT_EXCLUDE_PATH);
+        }
+
+        List<Predicate<String>> excludePath = new ArrayList<>();
+        swaggerProperties.getExcludePath().forEach(path -> excludePath.add(PathSelectors.ant(path)));
+
+        ApiSelectorBuilder builder = new Docket(DocumentationType.SWAGGER_2).host(swaggerProperties.getHost())
+                .apiInfo(apiInfo(swaggerProperties)).select()
+                .apis(RequestHandlerSelectors.basePackage(swaggerProperties.getBasePackage()));
+
+        swaggerProperties.getBasePath().forEach(p -> builder.paths(PathSelectors.ant(p)));
+        swaggerProperties.getExcludePath().forEach(p -> builder.paths(PathSelectors.ant(p).negate()));
+
+        return builder.build().securitySchemes(securitySchemes()).securityContexts(securityContexts()).pathMapping("/");
+    }
+}
+TEXT
+)
diff --git a/java-verified-rules/java-websecurity-csrf-disabled-simple.sf b/java-verified-rules/java-websecurity-csrf-disabled-simple.sf
@@ -0,0 +1,115 @@
+desc(
+    title: "Find Simple Trail of CSRF Disabled",
+    type: vuln,
+    level: low,
+    desc: <<<TEXT
+禁用CSRF（跨站请求伪造）保护可能会使应用程序容易受到CSRF攻击。虽然在某些情况下（例如API服务）可以考虑禁用CSRF，但在Web应用程序中，建议保留CSRF保护
+TEXT
+)
+
+.csrf().disable() as $vuln;
+check $vuln;
+alert $vuln;
+
+desc(
+    lang: java,
+'safefile:///safeconfig.java': <<<CONFIG
+package com.ruoyi.modules.monitor.config;
+
+import de.codecentric.boot.admin.server.config.AdminServerProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+@EnableWebSecurity
+public class WebSecurityConfigurer
+{
+    private final String adminContextPath;
+
+    public WebSecurityConfigurer(AdminServerProperties adminServerProperties)
+    {
+        this.adminContextPath = adminServerProperties.getContextPath();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception
+    {
+        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+        successHandler.setTargetUrlParameter("redirectTo");
+        successHandler.setDefaultTargetUrl(adminContextPath + "/");
+
+        return httpSecurity
+                .headers().frameOptions().disable()
+                .and().authorizeRequests()
+                .antMatchers(adminContextPath + "/assets/**"
+                        , adminContextPath + "/login"
+                        , adminContextPath + "/actuator/**"
+                        , adminContextPath + "/instances/**"
+                ).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .formLogin().loginPage(adminContextPath + "/login")
+                .successHandler(successHandler).and()
+                .logout().logoutUrl(adminContextPath + "/logout")
+                .and()
+                .httpBasic().and()
+                .build();
+    }
+}
+CONFIG,
+'file:///config.java': <<<CONFIG
+package com.ruoyi.modules.monitor.config;
+
+import de.codecentric.boot.admin.server.config.AdminServerProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+/**
+ * 监控权限配置
+ *
+ * @author ruoyi
+ */
+@EnableWebSecurity
+public class WebSecurityConfigurer
+{
+    private final String adminContextPath;
+
+    public WebSecurityConfigurer(AdminServerProperties adminServerProperties)
+    {
+        this.adminContextPath = adminServerProperties.getContextPath();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception
+    {
+        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+        successHandler.setTargetUrlParameter("redirectTo");
+        successHandler.setDefaultTargetUrl(adminContextPath + "/");
+
+        return httpSecurity
+                .headers().frameOptions().disable()
+                .and().authorizeRequests()
+                .antMatchers(adminContextPath + "/assets/**"
+                        , adminContextPath + "/login"
+                        , adminContextPath + "/actuator/**"
+                        , adminContextPath + "/instances/**"
+                ).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .formLogin().loginPage(adminContextPath + "/login")
+                .successHandler(successHandler).and()
+                .logout().logoutUrl(adminContextPath + "/logout")
+                .and()
+                .httpBasic().and()
+                .csrf()
+                .disable()
+                .build();
+    }
+}
+CONFIG,
+)