From 2525cfd786b985daa754cd06afeef588e0ea75ec Mon Sep 17 00:00:00 2001 From: Porcupiney Hairs Date: Fri, 13 Nov 2020 00:28:06 +0530 Subject: [PATCH] include suggestions from review. --- .../experimental/CWE-918/RequestForgery.qll | 2 - .../CWE-918/RequestForgeryCustomizations.qll | 22 +++-- .../code/java/frameworks/ApacheHttp.qll | 9 -- .../src/semmle/code/java/frameworks/JaxWS.qll | 2 +- .../code/java/frameworks/Networking.qll | 86 +++++++++++++++++++ .../code/java/frameworks/javase/Http.qll | 11 ++- .../code/java/frameworks/javase/URI.qll | 43 ---------- .../code/java/frameworks/javase/URL.qll | 47 ---------- .../java/frameworks/spring/SpringHttp.qll | 14 --- .../frameworks/spring/SpringWebClient.qll | 5 +- .../security/CWE-918/JaxWsSSRF.java | 24 ++++-- .../security/CWE-918/RequestForgery.expected | 64 +++++++------- .../security/CWE-918/SpringSSRF.java | 48 ++++++++--- 13 files changed, 197 insertions(+), 180 deletions(-) delete mode 100644 java/ql/src/semmle/code/java/frameworks/javase/URI.qll delete mode 100644 java/ql/src/semmle/code/java/frameworks/javase/URL.qll diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.qll b/java/ql/src/experimental/CWE-918/RequestForgery.qll index 2cb447bbc02..64cdc679e0c 100644 --- a/java/ql/src/experimental/CWE-918/RequestForgery.qll +++ b/java/ql/src/experimental/CWE-918/RequestForgery.qll @@ -1,7 +1,5 @@ import java import semmle.code.java.dataflow.FlowSources -import semmle.code.java.frameworks.javase.URI -import semmle.code.java.frameworks.javase.URL import semmle.code.java.frameworks.javase.Http import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll b/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll index 7c16646d333..abbb5c190b9 100644 --- a/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll +++ b/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll @@ -2,8 +2,8 @@ import java import semmle.code.java.frameworks.Networking -import semmle.code.java.frameworks.javase.URI -import semmle.code.java.frameworks.javase.URL +import semmle.code.java.frameworks.ApacheHttp +import semmle.code.java.frameworks.spring.Spring import semmle.code.java.frameworks.JaxWS import semmle.code.java.frameworks.javase.Http import semmle.code.java.dataflow.DataFlow @@ -34,8 +34,8 @@ module RequestForgery { */ private class ApacheSetUri extends Sink { ApacheSetUri() { - exists(MethodAccess ma | - ma.getReceiverType() instanceof TypeApacheHttpRequest and + exists(MethodAccess ma, TypeApacheHttpRequestBase t | + ma.getReceiverType().extendsOrImplements(t) and ma.getMethod().hasName("setURI") | this.asExpr() = ma.getArgument(0) @@ -49,7 +49,9 @@ module RequestForgery { */ private class ApacheHttpRequestInstantiation extends Sink { ApacheHttpRequestInstantiation() { - exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest | + exists(ClassInstanceExpr c, TypeApacheHttpRequestBase t | + c.getConstructedType().extendsOrImplements(t) + | this.asExpr() = c.getArgument(0) ) } @@ -115,8 +117,7 @@ module RequestForgery { */ private class JaxRsClientTarget extends Sink { JaxRsClientTarget() { - exists(MethodAccess ma, JaxRsClient t | - // ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and + exists(MethodAccess ma | ma.getMethod().getDeclaringType() instanceof JaxRsClient and ma.getMethod().hasName("target") | @@ -131,7 +132,12 @@ module RequestForgery { */ private class RequestEntityUriArg extends Sink { RequestEntityUriArg() { - exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr()) + exists(ClassInstanceExpr e, Argument a | + e.getConstructedType() instanceof SpringRequestEntity and + e.getAnArgument() = a and + a.getType() instanceof TypeUri and + this.asExpr() = a + ) } } } diff --git a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll index 92d1f8a7e7e..70cafd4fdc3 100644 --- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll +++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll @@ -27,15 +27,6 @@ class TypeApacheHttpRequestBase extends RefType { } } -/* - * Any class which can be used to make an HTTP request using the Apache Http Client library - * Examples include `HttpGet`,`HttpPost` etc. - */ - -class TypeApacheHttpRequest extends Class { - TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) } -} - /* A class representing the `RequestBuilder` class of the Apache Http Client library */ class TypeApacheHttpRequestBuilder extends Class { TypeApacheHttpRequestBuilder() { diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 6effa413f6c..50471d68fbf 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -171,7 +171,7 @@ class JaxRsResponseBuilder extends Class { } /** - * The class `javax.ws.rs.client.Client` + * The class `javax.ws.rs.client.Client`. */ class JaxRsClient extends RefType { JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") } diff --git a/java/ql/src/semmle/code/java/frameworks/Networking.qll b/java/ql/src/semmle/code/java/frameworks/Networking.qll index 83500822c3f..4ae68989ec0 100644 --- a/java/ql/src/semmle/code/java/frameworks/Networking.qll +++ b/java/ql/src/semmle/code/java/frameworks/Networking.qll @@ -4,6 +4,7 @@ import semmle.code.java.Type +// import semmle.code.java.dataflow.FlowSources /** The type `java.net.URLConnection`. */ class TypeUrlConnection extends RefType { TypeUrlConnection() { hasQualifiedName("java.net", "URLConnection") } @@ -41,3 +42,88 @@ class SocketGetInputStreamMethod extends Method { hasNoParameters() } } + +/** Any expresion or call which returns a new URI. */ +abstract class UriCreation extends Top { + /** + * Returns the host of the newly created URI. + * In the case where the host is specified separately, this returns only the host. + * In the case where the uri is parsed from an input string, + * such as in `URI(`http://foo.com/mypath')`, + * this returns the entire argument passed i.e. `http://foo.com/mypath'. + */ + abstract Expr hostArg(); +} + +/** An URI constructor expression */ +class UriConstructor extends ClassInstanceExpr, UriCreation { + UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" } + + override Expr hostArg() { + // URI​(String str) + result = this.getArgument(0) and this.getNumArgument() = 1 + or + // URI(String scheme, String ssp, String fragment) + // URI​(String scheme, String host, String path, String fragment) + // URI​(String scheme, String authority, String path, String query, String fragment) + result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5] + or + // URI​(String scheme, String userInfo, String host, int port, String path, String query, + // String fragment) + result = this.getArgument(2) and this.getNumArgument() = 7 + } +} + +class UriCreate extends Call, UriCreation { + UriCreate() { + this.getCallee().getName() = "create" and + this.getCallee().getDeclaringType() instanceof TypeUri + } + + override Expr hostArg() { result = this.getArgument(0) } +} + +/* An URL constructor expression */ +class UrlConstructor extends ClassInstanceExpr { + UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" } + + Expr hostArg() { + // URL(String spec) + this.getNumArgument() = 1 and result = this.getArgument(0) + or + // URL(String protocol, String host, int port, String file) + // URL(String protocol, String host, int port, String file, URLStreamHandler handler) + this.getNumArgument() = [4, 5] and result = this.getArgument(1) + or + // URL(String protocol, String host, String file) + // but not + // URL(URL context, String spec, URLStreamHandler handler) + ( + this.getNumArgument() = 3 and + this.getConstructor().getParameter(2).getType() instanceof TypeString + ) and + result = this.getArgument(1) + } + + Expr protocolArg() { + // In all cases except where the first parameter is a URL, the argument + // containing the protocol is the first one, otherwise it is the second. + if this.getConstructor().getParameter(0).getType().getName() = "URL" + then result = this.getArgument(1) + else result = this.getArgument(0) + } +} + +class UrlOpenStreamMethod extends Method { + UrlOpenStreamMethod() { + this.getDeclaringType() instanceof TypeUrl and + this.getName() = "openStream" + } +} + +class UrlOpenConnectionMethod extends Method { + UrlOpenConnectionMethod() { + this.getDeclaringType() instanceof TypeUrl and + this.getName() = "openConnection" + } +} diff --git a/java/ql/src/semmle/code/java/frameworks/javase/Http.qll b/java/ql/src/semmle/code/java/frameworks/javase/Http.qll index d48b61b0cf5..02349d8e467 100644 --- a/java/ql/src/semmle/code/java/frameworks/javase/Http.qll +++ b/java/ql/src/semmle/code/java/frameworks/javase/Http.qll @@ -1,7 +1,10 @@ -import java -import semmle.code.java.dataflow.FlowSources +/** + * Provides classes for identifying methods called by the Java net Http package. + */ -/** A class representing `HttpRequest.Builder`. */ +import java + +/** The interface representing `HttpRequest.Builder`. */ class TypeHttpRequestBuilder extends Interface { TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") } } @@ -11,7 +14,7 @@ class TypeHttpRequest extends Interface { TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") } } -/** A class representing `java.net.http.HttpRequest$Builder`'s `uri` method. */ +/** The `uri` method on `java.net.http.HttpRequest.Builder`. */ class HttpBuilderUri extends Method { HttpBuilderUri() { this.getDeclaringType() instanceof TypeHttpRequestBuilder and diff --git a/java/ql/src/semmle/code/java/frameworks/javase/URI.qll b/java/ql/src/semmle/code/java/frameworks/javase/URI.qll deleted file mode 100644 index c195962e56e..00000000000 --- a/java/ql/src/semmle/code/java/frameworks/javase/URI.qll +++ /dev/null @@ -1,43 +0,0 @@ -import java -import semmle.code.java.dataflow.FlowSources - -/** Any expresion or call which returns a new URI.*/ -abstract class UriCreation extends Top { - /** - * Returns the host of the newly created URI. - * In the case where the host is specified separately, this returns only the host. - * In the case where the uri is parsed from an input string, - * such as in `URI(`http://foo.com/mypath')`, - * this returns the entire argument passed i.e. `http://foo.com/mypath'. - */ - - abstract Expr hostArg(); -} - -/** An URI constructor expression */ -class UriConstructor extends ClassInstanceExpr, UriCreation { - UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" } - - override Expr hostArg() { - // URI​(String str) - result = this.getArgument(0) and this.getNumArgument() = 1 - or - // URI(String scheme, String ssp, String fragment) - // URI​(String scheme, String host, String path, String fragment) - // URI​(String scheme, String authority, String path, String query, String fragment) - result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5] - or - // URI​(String scheme, String userInfo, String host, int port, String path, String query, - // String fragment) - result = this.getArgument(2) and this.getNumArgument() = 7 - } -} - -class UriCreate extends Call, UriCreation { - UriCreate() { - this.getCallee().getName() = "create" and - this.getCallee().getDeclaringType() instanceof TypeUri - } - - override Expr hostArg() { result = this.getArgument(0) } -} diff --git a/java/ql/src/semmle/code/java/frameworks/javase/URL.qll b/java/ql/src/semmle/code/java/frameworks/javase/URL.qll deleted file mode 100644 index 681319ff562..00000000000 --- a/java/ql/src/semmle/code/java/frameworks/javase/URL.qll +++ /dev/null @@ -1,47 +0,0 @@ -import java -import semmle.code.java.dataflow.FlowSources - -/* Am URL constructor expression */ -class UrlConstructor extends ClassInstanceExpr { - UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" } - - Expr hostArg() { - // URL(String spec) - this.getNumArgument() = 1 and result = this.getArgument(0) - or - // URL(String protocol, String host, int port, String file) - // URL(String protocol, String host, int port, String file, URLStreamHandler handler) - this.getNumArgument() = [4,5] and result = this.getArgument(1) - or - // URL(String protocol, String host, String file) - // but not - // URL(URL context, String spec, URLStreamHandler handler) - ( - this.getNumArgument() = 3 and - this.getConstructor().getParameter(2).getType() instanceof TypeString - ) and - result = this.getArgument(1) - } - - Expr protocolArg() { - // In all cases except where the first parameter is a URL, the argument - // containing the protocol is the first one, otherwise it is the second. - if this.getConstructor().getParameter(0).getType().getName() = "URL" - then result = this.getArgument(1) - else result = this.getArgument(0) - } -} - -class UrlOpenStreamMethod extends Method { - UrlOpenStreamMethod() { - this.getDeclaringType() instanceof TypeUrl and - this.getName() = "openStream" - } -} - -class UrlOpenConnectionMethod extends Method { - UrlOpenConnectionMethod() { - this.getDeclaringType() instanceof TypeUrl and - this.getName() = "openConnection" - } -} diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll index bbc10c652c9..49450b90957 100644 --- a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll +++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll @@ -39,17 +39,3 @@ class SpringResponseEntityBodyBuilder extends Interface { class SpringHttpHeaders extends Class { SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") } } - -/** Models `org.springframework.http.RequestEntity`s instantiation expressions. */ -class SpringRequestEntityInstanceExpr extends ClassInstanceExpr { - int numArgs; - - SpringRequestEntityInstanceExpr() { - this.getConstructedType() instanceof SpringRequestEntity and - numArgs = this.getNumArgument() - } - - Argument getUriArg() { - exists(Argument a | this.getAnArgument() = a and a.getType() instanceof TypeUri | result = a) - } -} diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll index 14bbb99db68..ef516d234ae 100644 --- a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -33,7 +33,10 @@ class SpringWebClient extends Interface { * which take an URL as an argument. */ abstract class SpringRestTemplateUrlMethods extends Method { - /** Gets the argument which corresponds to a URL */ + /** + * Gets the argument which corresponds to a URL argument + * passed as a `java.net.URL` object or as a string or the like + */ abstract Argument getUrlArgument(MethodAccess ma); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java index c710c09c64b..cb774b8c44a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java +++ b/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java @@ -1,11 +1,25 @@ import javax.ws.rs.client.*; +import java.io.IOException; +import java.net.URI; +import java.net.*; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.Proxy.Type; +import java.io.InputStream; -public class JaxWsSSRF { - public static void main(String[] args) { +import org.apache.http.client.methods.HttpGet; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public class JaxWsSSRF extends HttpServlet { + + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { Client client = ClientBuilder.newClient(); - String url = args[1]; + String url = request.getParameter("url"); client.target(url); } + } - - diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected index a7795b52f1a..1d2cae77dfe 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected @@ -1,5 +1,5 @@ edges -| JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url | +| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | @@ -9,18 +9,18 @@ edges | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl | -| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | nodes -| JaxWsSSRF.java:4:29:4:41 | args : String[] | semmle.label | args : String[] | -| JaxWsSSRF.java:7:23:7:25 | url | semmle.label | url | +| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url | | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String | | RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 | | RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 | @@ -32,18 +32,18 @@ nodes | RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String | | RequestForgery.java:22:52:22:54 | uri | semmle.label | uri | | RequestForgery.java:27:57:27:59 | uri | semmle.label | uri | -| SpringSSRF.java:11:29:11:41 | args : String[] | semmle.label | args : String[] | -| SpringSSRF.java:17:73:17:93 | ... + ... | semmle.label | ... + ... | -| SpringSSRF.java:21:69:21:82 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:25:68:25:81 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:28:73:28:86 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:36:59:36:72 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:39:74:39:96 | new URI(...) | semmle.label | new URI(...) | -| SpringSSRF.java:43:57:43:70 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:46:58:46:71 | fooResourceUrl | semmle.label | fooResourceUrl | -| SpringSSRF.java:49:30:49:43 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... | +| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:41:42:41:55 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) | +| SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl | #select -| JaxWsSSRF.java:7:23:7:25 | url | JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:4:29:4:41 | args | a user-provided value | +| JaxWsSSRF.java:22:23:22:25 | url | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:21:22:21:48 | getParameter(...) | a user-provided value | | RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value | | RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value | | RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value | @@ -53,12 +53,12 @@ nodes | RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value | | RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value | | RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value | -| SpringSSRF.java:17:73:17:93 | ... + ... | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:21:69:21:82 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:25:68:25:81 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:28:73:28:86 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:36:59:36:72 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:39:74:39:96 | new URI(...) | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:43:57:43:70 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:46:58:46:71 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | -| SpringSSRF.java:49:30:49:43 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value | +| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:45:47:45:60 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:54:59:54:72 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:58:74:58:96 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:62:57:62:70 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:66:48:66:61 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | +| SpringSSRF.java:69:30:69:43 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value | diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java index 8aca1f3083a..ddd8ecc3dd6 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java +++ b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java @@ -5,48 +5,68 @@ import org.springframework.http.HttpEntity; import org.springframework.http.HttpStatus; import java.net.URI; import org.springframework.http.HttpMethod; +import java.io.IOException; +import java.net.URI; +import java.net.*; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.Proxy.Type; +import java.io.InputStream; -public class SpringSSRF { +import org.apache.http.client.methods.HttpGet; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; - public static void main(String[] args) throws Exception { +public class SpringSSRF extends HttpServlet { + + protected void doGet(HttpServletRequest request2, HttpServletResponse response2) + throws ServletException, IOException { + String fooResourceUrl = request2.getParameter("uri");; RestTemplate restTemplate = new RestTemplate(); - String fooResourceUrl = args[1]; HttpEntity request = new HttpEntity<>(new String("bar")); { - ResponseEntity response = restTemplate.getForEntity(fooResourceUrl + "/1", String.class); + ResponseEntity response = + restTemplate.getForEntity(fooResourceUrl + "/1", String.class); } { - ResponseEntity response = restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, - String.class); + ResponseEntity response = + restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); } { - ResponseEntity response = restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); + ResponseEntity response = + restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); } { - ResponseEntity response = restTemplate.getForEntity(fooResourceUrl, String.class, "test"); + ResponseEntity response = + restTemplate.getForEntity(fooResourceUrl, String.class, "test"); } { String body = new String("body"); - RequestEntity requestEntity = RequestEntity.post(new URI(fooResourceUrl)).body(body); + RequestEntity requestEntity = + RequestEntity.post(new URI(fooResourceUrl)).body(body); ResponseEntity response = restTemplate.exchange(requestEntity, String.class); } { - String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); + String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), + String.class, "hi"); } { - ResponseEntity response = restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), - String.class); + ResponseEntity response = restTemplate.postForEntity(new URI(fooResourceUrl), + new String("object"), String.class); } { URI response = restTemplate.postForLocation(fooResourceUrl, new String("object")); } { - String response = restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); + String response = + restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); } { restTemplate.put(fooResourceUrl, new String("object")); } } -} \ No newline at end of file +}