Java: update java/spring-disabled-csrf-protection QHelp

[jcogs33]

Description

Updates the overview section of the java/spring-disabled-csrf-protection QHelp to align with other CSRF queries. Context: #18288 (comment)

Also updates the name of the OWASP website. Context: #18288 (comment)

Autofix validation: I quickly checked the effect on autofix for a couple alerts. Autofix still successfully removes the .disable() call, but it now also discusses handling CSRF tokens in the fix descriptions and includes code related to CSRF tokens in one of the fix suggestions. Let me know if this sounds like a reason to avoid this wording update?
(Note that I purposefully did not include any explicit mention of tokens in this update, but the related Python and Ruby QHelp files do mention tokens.)

[github-actions]

QHelp previews:

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp

Disabled Spring CSRF protection

Cross-site request forgery (CSRF) is a type of vulnerability in which an attacker is able to force a user to carry out an action that the user did not intend.

The attacker tricks an authenticated user into submitting a request to the web application. Typically, this request will result in a state change on the server, such as changing the user's password. The request can be initiated when the user visits a site controlled by the attacker. If the web application relies only on cookies for authentication, or on other credentials that are automatically included in the request, then this request will appear as legitimate to the server.

Recommendation

When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.

Example

The following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .csrf(csrf ->
        // BAD - CSRF protection shouldn't be disabled
        csrf.disable() 
      );
  }
}

References

• OWASP: Cross Site Request Forgery (CSRF).
• Spring Security Reference: Cross Site Request Forgery (CSRF) .
• Common Weakness Enumeration: CWE-352.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more