UnsafeSpringCsrfRequestMappingController.java example

Explorer
find-sec-bugs-master
package testcode.csrf;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
@RequestMapping("/test")
public class UnsafeSpringCsrfRequestMappingController {

    /**
     * `RequestMapping` maps to all the HTTP request methods by default, making it vulnerable to CSRF attacks.
     */
    @RequestMapping("/request-mapping-no-method")
    public void requestMappingNoMethod() {
    }

    /**
     * The default value of the annotation attribute `method` is an empty array,
     * so this boils down to the same thing as not specifying at all the annotation attribute `method`.
     */
    @RequestMapping(value = "request-mapping-method-empty", method = {})
    public void requestMappingEmptyMethod() {
    }

    /**
     * Mapping to several HTTP request methods is not OK if it's a mix of unprotected and protected HTTP request methods.
     */
    @RequestMapping(value = "/request-mapping-unprotected-and-protected-methods", method = {RequestMethod.GET, RequestMethod.POST})
    public void requestMappingUnprotectedAndProtectedMethods() {
    }

    /**
     * Mapping to several HTTP request methods is not OK if it's a mix of unprotected and protected HTTP request methods.
     */
    @RequestMapping(value = "/request-mapping-unprotected-and-protected-uncommon-methods", method = {RequestMethod.OPTIONS, RequestMethod.PATCH})
    public void requestMappingUnprotectedAndProtectedUncommonMethods() {
    }

    /**
     * Mapping to several HTTP request methods is not OK if it's a mix of unprotected and protected HTTP request methods.
     */
    @RequestMapping(value = "/request-mapping-all-unprotected-methods-and-one-protected-method",
            method = {RequestMethod.GET, RequestMethod.HEAD, RequestMethod.TRACE, RequestMethod.OPTIONS, RequestMethod.PATCH})
    public void requestMappingAllUnprotectedMethodsAndOneProtectedMethod() {
    }

    /**
     * Mapping to several HTTP request methods is not OK if it's a mix of unprotected and protected HTTP request methods.
     */
    @RequestMapping(value = "/request-mapping-all-protected-methods-and-one-unprotected-method",
            method = {RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE, RequestMethod.PATCH, RequestMethod.OPTIONS})
    public void requestMappingAllProtectedMethodsAndOneUnprotectedMethod() {
    }

}