Add URLClassLoader and Spring WebClient SSRF sinks

2026-04-30 19:26:02 +02:00 · 2021-06-27 21:52:10 +04:00
parent e4af14638b
commit 0db7496617
8 changed files with 293 additions and 2 deletions
--- a/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java
@@ -0,0 +1,49 @@
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class ReactiveWebClientSSRF extends HttpServlet {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            WebClient webClient = WebClient.create(url); // $ SSRF
+
+            Mono<String> result = webClient.get()
+                    .uri("/")
+                    .retrieve()
+                    .bodyToMono(String.class);
+
+            result.block();
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            WebClient webClient = WebClient.builder()
+                    .defaultHeader("User-Agent", "Java")
+                    .baseUrl(url) // $ SSRF
+                    .build();
+
+
+            Mono<String> result = webClient.get()
+                    .uri("/")
+                    .retrieve()
+                    .bodyToMono(String.class);
+
+            result.block();
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java
@@ -0,0 +1,98 @@
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLClassLoader;
+
+public class URLClassLoaderSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+            URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ SSRF
+            Class<?> test = urlClassLoader.loadClass("test");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+            URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ SSRF
+            Class<?> test = urlClassLoader.loadClass("test");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doPut(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+
+            URLStreamHandlerFactory urlStreamHandlerFactory = TomcatURLStreamHandlerFactory.getInstance();
+            URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ SSRF
+            urlClassLoader.findResource("test");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+            URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ SSRF
+            urlClassLoader.getResourceAsStream("test");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doOptions(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+            URLClassLoader urlClassLoader = 
+                new URLClassLoader("testClassLoader", 
+                    new URL[]{new URL[]{uri.toURL()}}, 
+                    URLClassLoaderSSRF.class.getClassLoader()
+                ); // $ SSRF
+
+            Class<?> rceTest = urlClassLoader.loadClass("RCETest");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doTrace(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String url = request.getParameter("uri");
+            URI uri = new URI(url);
+            URLStreamHandlerFactory urlStreamHandlerFactory = TomcatURLStreamHandlerFactory.getInstance();
+
+            URLClassLoader urlClassLoader =
+                new URLClassLoader("testClassLoader",
+                    new URL[]{uri.toURL()}, 
+                    URLClassLoaderSSRF.class.getClassLoader(), 
+                    urlStreamHandlerFactory
+                ); // $ SSRF
+
+            Class<?> rceTest = urlClassLoader.loadClass("RCETest");
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-918/options
+++ b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1,2 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/
+