Java: minor qhelp update

github · Jan 30, 2025 · d2a6fb9 · d2a6fb9
1 parent f4bb1ec
commit d2a6fb9
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 8 deletions.
diff --git a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp
@@ -11,10 +11,9 @@ result in exposure of data or unintended code execution.</p>
 
 <recommendation>
 <p>Make sure any requests that change application state are protected from Cross Site Request Forgery (CSRF).
-Some application frameworks provide default CSRF protection for unsafe HTTP request methods (<code>POST</code>,
-<code>PUT</code>, <code>DELETE</code>, <code>PATCH</code>, <code>CONNECT</code>) which may change the state of
-the application. Safe HTTP request methods (<code>GET</code>, <code>HEAD</code>, <code>OPTIONS</code>,
-<code>TRACE</code>) should be read-only and should not be used for actions that change application state.</p>
+Some application frameworks provide default CSRF protection for unsafe HTTP request methods (such as
+<code>POST</code>) which may change the state of the application. Safe HTTP request methods (such as
+<code>GET</code>) should be read-only and should not be used for actions that change application state.</p>
 
 <p>This query currently supports the Spring and Stapler web frameworks. Spring provides default CSRF protection
 for all unsafe HTTP methods. Stapler provides default CSRF protection for the <code>POST</code> method.</p>

diff --git a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeBadStapler.java b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeBadStapler.java
@@ -7,6 +7,6 @@ public HttpRedirect doTransfer() {
 }
 
 // BAD - no HTTP request type is specified, so safe HTTP requests are allowed
-public HttpRedirect doDelete() {
-  return delete();
+public HttpRedirect doPost() {
+  return post();
 }
diff --git a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeGoodStapler.java b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestTypeGoodStapler.java
@@ -8,6 +8,6 @@ public HttpRedirect doTransfer() {
 
 // GOOD - use POST
 @POST
-public HttpRedirect doDelete() {
-  return delete();
+public HttpRedirect doPost() {
+  return post();
 }