Java: Promote Spring Boot Actuators query from experimental

[jcogs33]

This PR promotes java/spring-boot-exposed-actuators from experimental (original PRs: #2901 and #3506).

Changes from the experimental query:

• Updated the query to handle HttpSecurity.securityMatcher(s), HttpSecurity.authorizeHttpRequests, and AuthorizeHttpRequestsConfigurer, which were added in more recent Spring versions.
  • As a result, the springframework-5.3.8 stubs directory should technically be renamed to springframework-5.8.x. I'll do that in follow-up PR to avoid a large number of renamed stub files and updated options files on this PR.
• Placed the query under CWE-200 instead of CWE-016. CWE-016 is a category, and my understanding from our metadata style guide is that we should use CWEs that are a base/class weakness, not a category. Let me know if you disagree.

[github-actions]

QHelp previews:

java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp

Exposed Spring Boot actuators

Spring Boot includes features called actuators that let you monitor and interact with your web application. Exposing unprotected actuator endpoints can lead to information disclosure or even to remote code execution.

Recommendation

Since actuator endpoints may contain sensitive information, carefully consider when to expose them, and secure them as you would any sensitive URL. Actuators are secured by default when using Spring Security without a custom configuration. If you wish to define a custom security configuration, consider only allowing users with certain roles access to the endpoints.

Example

In the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

In the second example, only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints.

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll());
        return http.build();
    }

}

@Configuration(proxyBeanMethods = false)
public class CustomSecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
        http.securityMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));
        return http.build();
    }

}

References

• Spring Boot Reference Documentation: Endpoints.
• Common Weakness Enumeration: CWE-200.