Codeql (#202)

* refactor: remove uneccessary csrf disable

* chore: bump dependencies

* chore: add custom codeql workflow

* chore: handle ssrf

.github/workflows/codeql.yaml

@@ -0,0 +1,22 @@
+name: Code scanning (CodeQL)
+
+on:
+  pull_request:
+    types: [ready_for_review, opened, reopened, synchronize]
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 2 * * *'
+
+jobs:
+  codeql:
+    name: Run codeql
+    uses: Informasjonsforvaltning/workflows/.github/workflows/codeql.yaml@main
+    with:
+      language: java
+      java_version: '21'
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

pom.xml

@@ -12,7 +12,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.4.0</version>
+        <version>3.4.2</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
@@ -32,9 +32,9 @@
         <maven.exec.skip>false</maven.exec.skip>
         <!--end standard properties-->
 
-        <kotlin.version>2.0.21</kotlin.version>
+        <kotlin.version>2.1.10</kotlin.version>
         <testcontainers.version>1.20.4</testcontainers.version>
-        <jena.version>5.2.0</jena.version>
+        <jena.version>5.3.0</jena.version>
     </properties>
 
     <dependencies>
@@ -67,7 +67,7 @@
         <dependency>
             <groupId>org.hibernate.validator</groupId>
             <artifactId>hibernate-validator</artifactId>
-            <version>8.0.1.Final</version>
+            <version>8.0.2.Final</version>
         </dependency>
 
         <!-- TEST -->
@@ -97,7 +97,7 @@
         <dependency>
             <groupId>org.wiremock</groupId>
             <artifactId>wiremock-standalone</artifactId>
-            <version>3.9.2</version>
+            <version>3.11.0</version>
             <scope>test</scope>
         </dependency>
 
@@ -127,7 +127,7 @@
         <dependency>
             <groupId>org.jetbrains.kotlinx</groupId>
             <artifactId>kotlinx-coroutines-core</artifactId>
-            <version>1.9.0</version>
+            <version>1.10.1</version>
         </dependency>
 
         <!-- JSON-LD dependencies -->

src/main/kotlin/no/digdir/organizationcatalog/adapter/EnhetsregisteretAdapter.kt

@@ -82,7 +82,14 @@ class EnhetsregisteretAdapter(private val appProperties: AppProperties) {
                 }
             }
 
-    private fun getOrganizationFromEnhetsregisteret(organizationId: String, isSubordinate: Boolean = false): EnhetsregisteretOrganization? =
+    private fun getOrganizationFromEnhetsregisteret(organizationId: String, isSubordinate: Boolean = false): EnhetsregisteretOrganization? {
+        try {
+            Integer.parseInt(organizationId)
+        } catch (e: NumberFormatException) {
+            LOGGER.warn("Invalid organization identifier for Enhetsregisteret '$organizationId'")
+            return null
+        }
+
         URL("${appProperties.enhetsregisteretProxyUrl}/${if (isSubordinate) "underenheter" else "enheter"}/$organizationId")
             .openConnection()
             .run {
@@ -104,6 +111,7 @@ class EnhetsregisteretAdapter(private val appProperties: AppProperties) {
                     null
                 }
             }
+    }
 
     fun getOrganizationsFromEnhetsregisteretByType(orgType: EnhetsregisteretType): List<EnhetsregisteretOrganization> {
         return getOrganizationsFromEnhetsregisteret("/enheter?organisasjonsform=$orgType&size=10000")

src/main/kotlin/no/digdir/organizationcatalog/security/SecurityConfig.kt

@@ -37,7 +37,6 @@ open class SecurityConfig(
                     config
                 }
             }
-            .csrf { it.disable() }
             .authorizeHttpRequests { authorize ->
                 authorize.requestMatchers(HttpMethod.OPTIONS).permitAll()
                     .requestMatchers(HttpMethod.GET).permitAll()