From 37589dd8a0e1a70c99095d5a231a695b705a4626 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Thu, 28 May 2026 10:30:43 +0100
Subject: [PATCH] Improve how `org.apache.http.client.HttpClient` is created in
 test

---
 .../CWE-918/ApacheHttpClientExecuteSSRF.java  |  3 +-
 .../security/CWE-918/RequestForgery.expected  | 54 +++++++++----------
 .../http/impl/client/CloseableHttpClient.java |  7 +++
 .../apache/http/impl/client/HttpClients.java  | 10 ++++
 4 files changed, 46 insertions(+), 28 deletions(-)
 create mode 100644 java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java
 create mode 100644 java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java

diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
index 0074e228e86..505783e23eb 100644
--- a/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
@@ -5,6 +5,7 @@ import org.apache.http.HttpRequest;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.ResponseHandler;
 import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.impl.client.HttpClients;
 import org.apache.http.message.BasicHttpRequest;
 import org.apache.http.protocol.HttpContext;
 import javax.servlet.ServletException;
@@ -24,7 +25,7 @@ public class ApacheHttpClientExecuteSSRF extends HttpServlet {
             HttpRequest req = new BasicHttpRequest("GET", "/");
             HttpUriRequest uriReq = (HttpUriRequest) (Object) source;
             HttpContext context = null;
-            HttpClient client = null;
+            HttpClient client = HttpClients.createDefault();
             ResponseHandler<Object> handler = null;
 
             client.execute(host, req); // $ Alert
diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
index fb0e61c90d8..45345b175b9 100644
--- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
@@ -1,12 +1,12 @@
 #select
-| ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:30:43:30:45 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:30:43:30:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:32:29:32:31 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:32:29:32:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:34:26:34:28 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:34:26:34:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
@@ -385,18 +385,18 @@
 | mad/Test.java:107:15:107:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:107:15:107:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
 | mad/Test.java:112:15:112:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:112:15:112:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
 edges
-| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | provenance | Src:MaD:285  |
-| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | provenance | Src:MaD:285  |
-| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | provenance | Sink:MaD:228 |
-| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | provenance | Sink:MaD:229 |
-| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:230 |
-| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:231 |
-| ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | provenance | MaD:305 |
-| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | provenance | Sink:MaD:232 |
-| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | provenance | Sink:MaD:233 |
-| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:234 |
-| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:235 |
-| ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | provenance |  |
+| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | provenance | Src:MaD:285  |
+| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | provenance | Src:MaD:285  |
+| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | provenance | Sink:MaD:228 |
+| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:229 |
+| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:230 |
+| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | provenance | Sink:MaD:231 |
+| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | provenance | MaD:305 |
+| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | provenance | Sink:MaD:232 |
+| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:233 |
+| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:234 |
+| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | provenance | Sink:MaD:235 |
+| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | provenance |  |
 | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:28:31:28:34 | sink : String | provenance | Src:MaD:285  |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:30:43:30:45 | uri | provenance | Sink:MaD:211 |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:32:29:32:31 | uri | provenance | Sink:MaD:217 |
@@ -1405,19 +1405,19 @@ models
 | 304 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
 | 305 | Summary: org.apache.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
 nodes
-| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
-| ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | semmle.label | source : String |
-| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | semmle.label | (...)... : String |
-| ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | semmle.label | (...)... : String |
-| ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | semmle.label | host |
+| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
+| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | semmle.label | source : String |
+| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | semmle.label | (...)... : String |
+| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | semmle.label | (...)... : String |
 | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | semmle.label | host |
-| ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | semmle.label | uriReq |
+| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | semmle.label | uriReq |
+| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | semmle.label | sink : String |
diff --git a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java
new file mode 100644
index 00000000000..dff62322e5a
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java
@@ -0,0 +1,7 @@
+package org.apache.http.impl.client;
+
+import org.apache.http.client.HttpClient;
+
+public abstract class CloseableHttpClient implements HttpClient {
+
+}
diff --git a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java
new file mode 100644
index 00000000000..e5d1a2537c5
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java
@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.http.client.HttpClient for testing purposes
+
+package org.apache.http.impl.client;
+
+import java.io.IOException;
+import org.apache.http.impl.client.CloseableHttpClient;
+
+public final class HttpClients {
+        public static CloseableHttpClient createDefault() { return null; }
+}