hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18153 from owen-mc/java/resttemplate-getforobject

Browse Source 
Java: add SSRF sink model for the third parameter of `RestTemplate.getForObject`
This commit is contained in:
Owen Mansel-Chan
2024-12-11 16:37:35 +00:00
committed by GitHub
parent 538dee81b6 1420bce36a
commit 066db766ef
4 changed files with 99 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
View File

@@ -13,6 +13,7 @@ import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.Proxy.Type;
import java.io.InputStream;
import java.util.Map;
import org.apache.http.client.methods.HttpGet;
import javax.servlet.ServletException;
@@ -32,6 +33,14 @@ public class SpringSSRF extends HttpServlet {
restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF
restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF
restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF
restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ SSRF
restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ SSRF
restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // not bad - the tainted value does not affect the host
restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // not bad - the tainted value is unused
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SSRF
restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // not bad - the tainted value does not affect the host
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the key for the tainted value is unused
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", fooResourceUrl, "unused")); // not bad - the tainted value is in a map key
restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF
restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ SSRF
restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF