Python: Add SSRF queries

I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.

python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Partial server-side request forgery
+ * @description Making a network request to a URL that is partially user-controlled allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision medium
+ * @id py/partial-ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import python
+import semmle.python.security.dataflow.ServerSideRequestForgery
+import DataFlow::PathGraph
+
+from
+  FullServerSideRequestForgery::Configuration fullConfig,
+  PartialServerSideRequestForgery::Configuration partialConfig, DataFlow::PathNode source,
+  DataFlow::PathNode sink
+where
+  partialConfig.hasFlowPath(source, sink) and
+  not fullConfig.hasFlow(source.getNode(), sink.getNode())
+select sink.getNode(), source, sink, "Part of the URL of this request depends on $@.",
+  source.getNode(), "a user-provided value"