From 265922d2e509bbd93fbbe87227eb49204a083a5f Mon Sep 17 00:00:00 2001
From: "REDMOND\\brodes" <brodes@microsoft.com>
Date: Tue, 30 Sep 2025 14:07:32 -0400
Subject: [PATCH] Adding docs.

---
 .../lib/semmle/python/frameworks/SSRFSink.qll | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 python/ql/lib/semmle/python/frameworks/SSRFSink.qll

diff --git a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll
new file mode 100644
index 00000000000..e9b7ff9e474
--- /dev/null
+++ b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll
@@ -0,0 +1,42 @@
+/**
+ * Provides classes for SSRF sinks modeled using Models as Data (MaD).
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.data.ModelsAsData
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Sets up SSRF sinks as Http::Client::Request
+ */
+module SSRFMaDModel {
+  /**
+   * An HTTP request modeled from `ssrf` sinks, modeled using MaD.
+   */
+  class SSRFSink extends Http::Client::Request::Range instanceof API::CallNode {
+    DataFlow::Node urlArg;
+
+    SSRFSink() {
+      (
+        this.getArg(_) = urlArg
+        or
+        this.getArgByName(_) = urlArg
+      ) and
+      urlArg = ModelOutput::getASinkNode("ssrf").asSink()
+    }
+
+    override DataFlow::Node getAUrlPart() { result = urlArg }
+
+    override string getFramework() { result = "MaD" }
+
+    override predicate disablesCertificateValidation(
+      DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+    ) {
+      // NOTE: if you need to define this, you have to special case it for every possible API in MaD
+      none()
+    }
+  }
+}