Skip to content

False positive Java. SpringBoot CSRF #22199

Description

@rcollette

Description of the false positive

Given a SpringBoot application that acts solely as an API/OIDC Resource Server and does not utilize cookies or state, where CSRF is disabled, the CodeQL / Disabled Spring CSRF protection should not be triggered.

Code samples or links to source code

  @Bean
  SecurityFilterChain securityFilterChain(
      final HttpSecurity http,
      final String privateScope,
      final AppUserPrincipalJwtAuthenticationConverter appUserPrincipalJwtAuthenticationConverter) {
    http.formLogin(AbstractHttpConfigurer::disable)
        .httpBasic(AbstractHttpConfigurer::disable)
        .csrf(AbstractHttpConfigurer::disable) // NOSONAR stateless JWT, no CSRF cookies
        .logout(AbstractHttpConfigurer::disable)
        .sessionManagement(
            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .authorizeHttpRequests(
            authorize ->
                authorize
                    .dispatcherTypeMatchers(DispatcherType.ERROR, DispatcherType.FORWARD)
                    .permitAll()
                    .requestMatchers(RuntimeEndpointPaths.unauthenticatedPaths())
                    .permitAll()
                    .requestMatchers(
                        new RegexRequestMatcher(
                            RuntimeEndpointPaths.versionedInternalRouteRegex(), null))
                    .access(interactiveUserAuthorizationManager())
                    .requestMatchers(
                        new RegexRequestMatcher(
                            RuntimeEndpointPaths.versionedPrivateRouteRegex(), null))
                    .access(
                        callerTypeAuthorizationManager(
                            OidcCallerType.CLIENT_CREDENTIALS, privateScope))
                    .anyRequest()
                    .authenticated())
        .oauth2ResourceServer(
            oauth2 ->
                oauth2.jwt(
                    jwt ->
                        jwt.jwtAuthenticationConverter(
                            appUserPrincipalJwtAuthenticationConverter)));
    return http.build();
  }

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions