Ola, realizei os cursos de Spring e agora estou rodando ele no SonarKube, sairam algumas vulnerabilidades, mas nao entendi o motivo delas. Porque uma delas apenas pergunta se esta seguro dando um .disble() no .csrf()
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.GET, "/artigo").permitAll()
.antMatchers(HttpMethod.GET, "/artigo/*").permitAll()
.antMatchers(HttpMethod.POST, "/auth").permitAll()
.anyRequest().authenticated()
.and().cors()
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().addFilterBefore(new FilterToken(tokenService, usuarioRepository), UsernamePasswordAuthenticationFilter.class);
}No sonar ele fica:
Make sure disabling Spring Security's CSRF protection is safe here.
Category
Cross-Site Request Forgery (CSRF)
Review priority
High
Assignee
Not assigned
CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.
<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
<input type="hidden" name="accountNo" value="attacker_account_123456"/>
<input type="hidden" name="amount" value="10000"/>
<input type="submit" value="Steal money"/>
</form>
If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.
Activity:O Sonar pede apenas para tirar o .disable(), mas lembro que no curso isso era fundamental para tirar o Session. Apenas gostaria de entender, sou novo em spring. Muito obrigado :)
