Java: support 'management.endpoints.web.expose' property

Author: Jami Cogswell

java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll

@@ -42,10 +42,13 @@ private class ManagementSecurityEnabledProperty extends JavaProperty {
   predicate hasSecurityDisabled() { this.getValue() = "false" }
 }
 
-/** The Spring Boot configuration property `management.endpoints.web.exposure.include`. */
-private class ManagementEndpointsIncludeProperty extends JavaProperty {
-  ManagementEndpointsIncludeProperty() {
-    this.getNameElement().getName() = "management.endpoints.web.exposure.include"
+/**
+ * The Spring Boot configuration property `management.endpoints.web.exposure.include`
+ * or `management.endpoints.web.expose`.
+ */
+private class ManagementEndpointsExposeProperty extends JavaProperty {
+  ManagementEndpointsExposeProperty() {
+    this.getNameElement().getName() = "management.endpoints.web." + ["exposure.include", "expose"]
   }
 
   /** Gets the whitespace-trimmed value of this property. */
@@ -105,13 +108,13 @@ predicate exposesSensitiveEndpoint(
       )
       or
       springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x
-      exists(ManagementEndpointsIncludeProperty ip |
-        ip.getFile() = propFile and
-        ip = jpOption.asSome() and
+      exists(ManagementEndpointsExposeProperty ep |
+        ep.getFile() = propFile and
+        ep = jpOption.asSome() and
         (
-          ip.getValue() = "*" // all endpoints are exposed
+          ep.getValue() = "*" // all endpoints are exposed
           or
-          ip.getValue()
+          ep.getValue()
               .matches([
                   "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%",
                   "%env%", "%beans%", "%sessions%"

java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties

@@ -0,0 +1,2 @@
+# vulnerable configuration (spring boot 2.0.0.RC1): exposes health and info only by default, here overridden to expose everything
+management.endpoints.web.expose=*

java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml renamed to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.2.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency> <!-- $ Alert -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>