mirror of
https://github.com/github/codeql.git
synced 2026-04-28 10:15:14 +02:00
include suggestions from review.
This commit is contained in:
Porcupiney Hairs
@@ -1,7 +1,5 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.frameworks.javase.URI
|
||||
import semmle.code.java.frameworks.javase.URL
|
||||
import semmle.code.java.frameworks.javase.Http
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.frameworks.Networking
|
||||
import semmle.code.java.frameworks.javase.URI
|
||||
import semmle.code.java.frameworks.javase.URL
|
||||
import semmle.code.java.frameworks.ApacheHttp
|
||||
import semmle.code.java.frameworks.spring.Spring
|
||||
import semmle.code.java.frameworks.JaxWS
|
||||
import semmle.code.java.frameworks.javase.Http
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
@@ -34,8 +34,8 @@ module RequestForgery {
|
||||
*/
|
||||
private class ApacheSetUri extends Sink {
|
||||
ApacheSetUri() {
|
||||
exists(MethodAccess ma |
|
||||
ma.getReceiverType() instanceof TypeApacheHttpRequest and
|
||||
exists(MethodAccess ma, TypeApacheHttpRequestBase t |
|
||||
ma.getReceiverType().extendsOrImplements(t) and
|
||||
ma.getMethod().hasName("setURI")
|
||||
|
|
||||
this.asExpr() = ma.getArgument(0)
|
||||
@@ -49,7 +49,9 @@ module RequestForgery {
|
||||
*/
|
||||
private class ApacheHttpRequestInstantiation extends Sink {
|
||||
ApacheHttpRequestInstantiation() {
|
||||
exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest |
|
||||
exists(ClassInstanceExpr c, TypeApacheHttpRequestBase t |
|
||||
c.getConstructedType().extendsOrImplements(t)
|
||||
|
|
||||
this.asExpr() = c.getArgument(0)
|
||||
)
|
||||
}
|
||||
@@ -115,8 +117,7 @@ module RequestForgery {
|
||||
*/
|
||||
private class JaxRsClientTarget extends Sink {
|
||||
JaxRsClientTarget() {
|
||||
exists(MethodAccess ma, JaxRsClient t |
|
||||
// ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod().getDeclaringType() instanceof JaxRsClient and
|
||||
ma.getMethod().hasName("target")
|
||||
|
|
||||
@@ -131,7 +132,12 @@ module RequestForgery {
|
||||
*/
|
||||
private class RequestEntityUriArg extends Sink {
|
||||
RequestEntityUriArg() {
|
||||
exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr())
|
||||
exists(ClassInstanceExpr e, Argument a |
|
||||
e.getConstructedType() instanceof SpringRequestEntity and
|
||||
e.getAnArgument() = a and
|
||||
a.getType() instanceof TypeUri and
|
||||
this.asExpr() = a
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,15 +27,6 @@ class TypeApacheHttpRequestBase extends RefType {
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Any class which can be used to make an HTTP request using the Apache Http Client library
|
||||
* Examples include `HttpGet`,`HttpPost` etc.
|
||||
*/
|
||||
|
||||
class TypeApacheHttpRequest extends Class {
|
||||
TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) }
|
||||
}
|
||||
|
||||
/* A class representing the `RequestBuilder` class of the Apache Http Client library */
|
||||
class TypeApacheHttpRequestBuilder extends Class {
|
||||
TypeApacheHttpRequestBuilder() {
|
||||
|
||||
@@ -171,7 +171,7 @@ class JaxRsResponseBuilder extends Class {
|
||||
}
|
||||
|
||||
/**
|
||||
* The class `javax.ws.rs.client.Client`
|
||||
* The class `javax.ws.rs.client.Client`.
|
||||
*/
|
||||
class JaxRsClient extends RefType {
|
||||
JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
import semmle.code.java.Type
|
||||
|
||||
// import semmle.code.java.dataflow.FlowSources
|
||||
/** The type `java.net.URLConnection`. */
|
||||
class TypeUrlConnection extends RefType {
|
||||
TypeUrlConnection() { hasQualifiedName("java.net", "URLConnection") }
|
||||
@@ -41,3 +42,88 @@ class SocketGetInputStreamMethod extends Method {
|
||||
hasNoParameters()
|
||||
}
|
||||
}
|
||||
|
||||
/** Any expresion or call which returns a new URI. */
|
||||
abstract class UriCreation extends Top {
|
||||
/**
|
||||
* Returns the host of the newly created URI.
|
||||
* In the case where the host is specified separately, this returns only the host.
|
||||
* In the case where the uri is parsed from an input string,
|
||||
* such as in `URI(`http://foo.com/mypath')`,
|
||||
* this returns the entire argument passed i.e. `http://foo.com/mypath'.
|
||||
*/
|
||||
abstract Expr hostArg();
|
||||
}
|
||||
|
||||
/** An URI constructor expression */
|
||||
class UriConstructor extends ClassInstanceExpr, UriCreation {
|
||||
UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
|
||||
|
||||
override Expr hostArg() {
|
||||
// URI(String str)
|
||||
result = this.getArgument(0) and this.getNumArgument() = 1
|
||||
or
|
||||
// URI(String scheme, String ssp, String fragment)
|
||||
// URI(String scheme, String host, String path, String fragment)
|
||||
// URI(String scheme, String authority, String path, String query, String fragment)
|
||||
result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
|
||||
or
|
||||
// URI(String scheme, String userInfo, String host, int port, String path, String query,
|
||||
// String fragment)
|
||||
result = this.getArgument(2) and this.getNumArgument() = 7
|
||||
}
|
||||
}
|
||||
|
||||
class UriCreate extends Call, UriCreation {
|
||||
UriCreate() {
|
||||
this.getCallee().getName() = "create" and
|
||||
this.getCallee().getDeclaringType() instanceof TypeUri
|
||||
}
|
||||
|
||||
override Expr hostArg() { result = this.getArgument(0) }
|
||||
}
|
||||
|
||||
/* An URL constructor expression */
|
||||
class UrlConstructor extends ClassInstanceExpr {
|
||||
UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
|
||||
|
||||
Expr hostArg() {
|
||||
// URL(String spec)
|
||||
this.getNumArgument() = 1 and result = this.getArgument(0)
|
||||
or
|
||||
// URL(String protocol, String host, int port, String file)
|
||||
// URL(String protocol, String host, int port, String file, URLStreamHandler handler)
|
||||
this.getNumArgument() = [4, 5] and result = this.getArgument(1)
|
||||
or
|
||||
// URL(String protocol, String host, String file)
|
||||
// but not
|
||||
// URL(URL context, String spec, URLStreamHandler handler)
|
||||
(
|
||||
this.getNumArgument() = 3 and
|
||||
this.getConstructor().getParameter(2).getType() instanceof TypeString
|
||||
) and
|
||||
result = this.getArgument(1)
|
||||
}
|
||||
|
||||
Expr protocolArg() {
|
||||
// In all cases except where the first parameter is a URL, the argument
|
||||
// containing the protocol is the first one, otherwise it is the second.
|
||||
if this.getConstructor().getParameter(0).getType().getName() = "URL"
|
||||
then result = this.getArgument(1)
|
||||
else result = this.getArgument(0)
|
||||
}
|
||||
}
|
||||
|
||||
class UrlOpenStreamMethod extends Method {
|
||||
UrlOpenStreamMethod() {
|
||||
this.getDeclaringType() instanceof TypeUrl and
|
||||
this.getName() = "openStream"
|
||||
}
|
||||
}
|
||||
|
||||
class UrlOpenConnectionMethod extends Method {
|
||||
UrlOpenConnectionMethod() {
|
||||
this.getDeclaringType() instanceof TypeUrl and
|
||||
this.getName() = "openConnection"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,7 +1,10 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
/**
|
||||
* Provides classes for identifying methods called by the Java net Http package.
|
||||
*/
|
||||
|
||||
/** A class representing `HttpRequest.Builder`. */
|
||||
import java
|
||||
|
||||
/** The interface representing `HttpRequest.Builder`. */
|
||||
class TypeHttpRequestBuilder extends Interface {
|
||||
TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
|
||||
}
|
||||
@@ -11,7 +14,7 @@ class TypeHttpRequest extends Interface {
|
||||
TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
|
||||
}
|
||||
|
||||
/** A class representing `java.net.http.HttpRequest$Builder`'s `uri` method. */
|
||||
/** The `uri` method on `java.net.http.HttpRequest.Builder`. */
|
||||
class HttpBuilderUri extends Method {
|
||||
HttpBuilderUri() {
|
||||
this.getDeclaringType() instanceof TypeHttpRequestBuilder and
|
||||
|
||||
@@ -1,43 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/** Any expresion or call which returns a new URI.*/
|
||||
abstract class UriCreation extends Top {
|
||||
/**
|
||||
* Returns the host of the newly created URI.
|
||||
* In the case where the host is specified separately, this returns only the host.
|
||||
* In the case where the uri is parsed from an input string,
|
||||
* such as in `URI(`http://foo.com/mypath')`,
|
||||
* this returns the entire argument passed i.e. `http://foo.com/mypath'.
|
||||
*/
|
||||
|
||||
abstract Expr hostArg();
|
||||
}
|
||||
|
||||
/** An URI constructor expression */
|
||||
class UriConstructor extends ClassInstanceExpr, UriCreation {
|
||||
UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
|
||||
|
||||
override Expr hostArg() {
|
||||
// URI(String str)
|
||||
result = this.getArgument(0) and this.getNumArgument() = 1
|
||||
or
|
||||
// URI(String scheme, String ssp, String fragment)
|
||||
// URI(String scheme, String host, String path, String fragment)
|
||||
// URI(String scheme, String authority, String path, String query, String fragment)
|
||||
result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
|
||||
or
|
||||
// URI(String scheme, String userInfo, String host, int port, String path, String query,
|
||||
// String fragment)
|
||||
result = this.getArgument(2) and this.getNumArgument() = 7
|
||||
}
|
||||
}
|
||||
|
||||
class UriCreate extends Call, UriCreation {
|
||||
UriCreate() {
|
||||
this.getCallee().getName() = "create" and
|
||||
this.getCallee().getDeclaringType() instanceof TypeUri
|
||||
}
|
||||
|
||||
override Expr hostArg() { result = this.getArgument(0) }
|
||||
}
|
||||
@@ -1,47 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/* Am URL constructor expression */
|
||||
class UrlConstructor extends ClassInstanceExpr {
|
||||
UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
|
||||
|
||||
Expr hostArg() {
|
||||
// URL(String spec)
|
||||
this.getNumArgument() = 1 and result = this.getArgument(0)
|
||||
or
|
||||
// URL(String protocol, String host, int port, String file)
|
||||
// URL(String protocol, String host, int port, String file, URLStreamHandler handler)
|
||||
this.getNumArgument() = [4,5] and result = this.getArgument(1)
|
||||
or
|
||||
// URL(String protocol, String host, String file)
|
||||
// but not
|
||||
// URL(URL context, String spec, URLStreamHandler handler)
|
||||
(
|
||||
this.getNumArgument() = 3 and
|
||||
this.getConstructor().getParameter(2).getType() instanceof TypeString
|
||||
) and
|
||||
result = this.getArgument(1)
|
||||
}
|
||||
|
||||
Expr protocolArg() {
|
||||
// In all cases except where the first parameter is a URL, the argument
|
||||
// containing the protocol is the first one, otherwise it is the second.
|
||||
if this.getConstructor().getParameter(0).getType().getName() = "URL"
|
||||
then result = this.getArgument(1)
|
||||
else result = this.getArgument(0)
|
||||
}
|
||||
}
|
||||
|
||||
class UrlOpenStreamMethod extends Method {
|
||||
UrlOpenStreamMethod() {
|
||||
this.getDeclaringType() instanceof TypeUrl and
|
||||
this.getName() = "openStream"
|
||||
}
|
||||
}
|
||||
|
||||
class UrlOpenConnectionMethod extends Method {
|
||||
UrlOpenConnectionMethod() {
|
||||
this.getDeclaringType() instanceof TypeUrl and
|
||||
this.getName() = "openConnection"
|
||||
}
|
||||
}
|
||||
@@ -39,17 +39,3 @@ class SpringResponseEntityBodyBuilder extends Interface {
|
||||
class SpringHttpHeaders extends Class {
|
||||
SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") }
|
||||
}
|
||||
|
||||
/** Models `org.springframework.http.RequestEntity`s instantiation expressions. */
|
||||
class SpringRequestEntityInstanceExpr extends ClassInstanceExpr {
|
||||
int numArgs;
|
||||
|
||||
SpringRequestEntityInstanceExpr() {
|
||||
this.getConstructedType() instanceof SpringRequestEntity and
|
||||
numArgs = this.getNumArgument()
|
||||
}
|
||||
|
||||
Argument getUriArg() {
|
||||
exists(Argument a | this.getAnArgument() = a and a.getType() instanceof TypeUri | result = a)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,7 +33,10 @@ class SpringWebClient extends Interface {
|
||||
* which take an URL as an argument.
|
||||
*/
|
||||
abstract class SpringRestTemplateUrlMethods extends Method {
|
||||
/** Gets the argument which corresponds to a URL */
|
||||
/**
|
||||
* Gets the argument which corresponds to a URL argument
|
||||
* passed as a `java.net.URL` object or as a string or the like
|
||||
*/
|
||||
abstract Argument getUrlArgument(MethodAccess ma);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,11 +1,25 @@
|
||||
import javax.ws.rs.client.*;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.*;
|
||||
import java.net.http.HttpClient;
|
||||
import java.net.http.HttpRequest;
|
||||
import java.net.Proxy.Type;
|
||||
import java.io.InputStream;
|
||||
|
||||
public class JaxWsSSRF {
|
||||
public static void main(String[] args) {
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
public class JaxWsSSRF extends HttpServlet {
|
||||
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
Client client = ClientBuilder.newClient();
|
||||
String url = args[1];
|
||||
String url = request.getParameter("url");
|
||||
client.target(url);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
edges
|
||||
| JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url |
|
||||
| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url |
|
||||
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
|
||||
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
|
||||
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
|
||||
@@ -9,18 +9,18 @@ edges
|
||||
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl |
|
||||
nodes
|
||||
| JaxWsSSRF.java:4:29:4:41 | args : String[] | semmle.label | args : String[] |
|
||||
| JaxWsSSRF.java:7:23:7:25 | url | semmle.label | url |
|
||||
| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url |
|
||||
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
|
||||
| RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
|
||||
@@ -32,18 +32,18 @@ nodes
|
||||
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
|
||||
| RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
|
||||
| SpringSSRF.java:11:29:11:41 | args : String[] | semmle.label | args : String[] |
|
||||
| SpringSSRF.java:17:73:17:93 | ... + ... | semmle.label | ... + ... |
|
||||
| SpringSSRF.java:21:69:21:82 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:25:68:25:81 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:28:73:28:86 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:36:59:36:72 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:39:74:39:96 | new URI(...) | semmle.label | new URI(...) |
|
||||
| SpringSSRF.java:43:57:43:70 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:46:58:46:71 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:49:30:49:43 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... |
|
||||
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:41:42:41:55 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) |
|
||||
| SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
| SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl |
|
||||
#select
|
||||
| JaxWsSSRF.java:7:23:7:25 | url | JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:4:29:4:41 | args | a user-provided value |
|
||||
| JaxWsSSRF.java:22:23:22:25 | url | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:21:22:21:48 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
|
||||
@@ -53,12 +53,12 @@ nodes
|
||||
| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
|
||||
| RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:17:73:17:93 | ... + ... | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:21:69:21:82 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:25:68:25:81 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:28:73:28:86 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:36:59:36:72 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:39:74:39:96 | new URI(...) | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:43:57:43:70 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:46:58:46:71 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:49:30:49:43 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
|
||||
| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:45:47:45:60 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:54:59:54:72 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:58:74:58:96 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:62:57:62:70 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:66:48:66:61 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
| SpringSSRF.java:69:30:69:43 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
|
||||
|
||||
@@ -5,48 +5,68 @@ import org.springframework.http.HttpEntity;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import java.net.URI;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.*;
|
||||
import java.net.http.HttpClient;
|
||||
import java.net.http.HttpRequest;
|
||||
import java.net.Proxy.Type;
|
||||
import java.io.InputStream;
|
||||
|
||||
public class SpringSSRF {
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
public class SpringSSRF extends HttpServlet {
|
||||
|
||||
protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
|
||||
throws ServletException, IOException {
|
||||
String fooResourceUrl = request2.getParameter("uri");;
|
||||
RestTemplate restTemplate = new RestTemplate();
|
||||
String fooResourceUrl = args[1];
|
||||
HttpEntity<String> request = new HttpEntity<>(new String("bar"));
|
||||
|
||||
{
|
||||
ResponseEntity<String> response = restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
|
||||
ResponseEntity<String> response =
|
||||
restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
|
||||
}
|
||||
|
||||
{
|
||||
ResponseEntity<String> response = restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request,
|
||||
String.class);
|
||||
ResponseEntity<String> response =
|
||||
restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class);
|
||||
}
|
||||
{
|
||||
ResponseEntity<String> response = restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
|
||||
ResponseEntity<String> response =
|
||||
restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
|
||||
}
|
||||
{
|
||||
ResponseEntity<String> response = restTemplate.getForEntity(fooResourceUrl, String.class, "test");
|
||||
ResponseEntity<String> response =
|
||||
restTemplate.getForEntity(fooResourceUrl, String.class, "test");
|
||||
}
|
||||
{
|
||||
String body = new String("body");
|
||||
RequestEntity<String> requestEntity = RequestEntity.post(new URI(fooResourceUrl)).body(body);
|
||||
RequestEntity<String> requestEntity =
|
||||
RequestEntity.post(new URI(fooResourceUrl)).body(body);
|
||||
ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
|
||||
}
|
||||
{
|
||||
String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi");
|
||||
String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
|
||||
String.class, "hi");
|
||||
}
|
||||
{
|
||||
ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"),
|
||||
String.class);
|
||||
ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl),
|
||||
new String("object"), String.class);
|
||||
}
|
||||
{
|
||||
URI response = restTemplate.postForLocation(fooResourceUrl, new String("object"));
|
||||
}
|
||||
{
|
||||
String response = restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
|
||||
String response =
|
||||
restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
|
||||
}
|
||||
{
|
||||
restTemplate.put(fooResourceUrl, new String("object"));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user