mcp-server-semgrep/semgrep-rules/java/spring/security/unrestricted-request-mapping.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: unrestricted-request-mapping
  patterns:
  - pattern-inside: |
      @RequestMapping(...)
      $RETURNTYPE $METHOD(...) { ... }
  - pattern-not-inside: |
      @RequestMapping(..., method = $X, ...)
      $RETURNTYPE $METHOD(...) { ... }
  - pattern: |
      RequestMapping
  message: >-
    Detected a method annotated with 'RequestMapping' that does not specify
    the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE,
    or OPTIONS, and by default all HTTP methods are allowed when the HTTP method
    is not explicitly specified. This means that a method that performs state
    changes could be vulnerable to CSRF attacks. To mitigate, add the 'method'
    field and specify the HTTP method (such as 'RequestMethod.POST').
  severity: WARNING
  metadata:
    cwe:
    - 'CWE-352: Cross-Site Request Forgery (CSRF)'
    owasp:
    - A01:2021 - Broken Access Control
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
    references:
    - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING
    category: security
    technology:
    - spring
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  languages: [java]