1

I am working on a project that has pending checkmarx issues (recently migrated from veracode) and there is a problem in this security stuff:

@Configuration
@EnableWebSecurity
public class Security extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

        httpSecurity.cors().and().csrf().disable();       
    }
}

Checkmarx don't like it and show me this:

SecurityConfiguration.java gets a parameter from a user request from disable. This parameter value flows through the code and is eventually used to access application state-altering functionality. This may enable Cross-Site Request Forgery (XSRF)

Also add that the requests made in this springboot are handled with an idtoken, and according to the quick reading that I have found, the class should be well defined. (hope so)

If someone has a clue to solve what checkmarx does not like, it would be very helpful, good day!

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Arkhion
  • 11
  • 2

1 Answers1

-1

The checkmarx scan is not liking the part where csrf is disabled completely for all URLs. If you have any specific url for which you want to enable csrf, you can add the following code.

    @Configuration
    @EnableWebSecurity
    public class Security extends WebSecurityConfigurerAdapter {
    
    

    @Override
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            equestMatcher csrfRequestMatcher = new RequestMatcher() {
    
          // Disable CSFR protection on the following urls:
          private AntPathRequestMatcher[] requestMatchers = {
              new AntPathRequestMatcher("/login"),
              new AntPathRequestMatcher("/logout"),
              new AntPathRequestMatcher("/verify/**")
          };

  

    @Override
      public boolean matches(HttpServletRequest request) {
        // If the request match one url the CSFR protection will be disabled
        for (AntPathRequestMatcher rm : requestMatchers) {
          if (rm.matches(request)) { return false; }
        }
        return true;
      } // method matches

    };
     

       httpSecurity.csrf()
            .requireCsrfProtectionMatcher(csrfRequestMatcher)
            .and()
    // other validations.      
        }
    }

Try the following link for detailed answer. Spring Security 3.2 CSRF disable for specific URLs

Abhishek Tripathi
  • 155
  • 1
  • 3