hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-30 02:51:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve how org.apache.http.client.HttpClient is created in test

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-05-28 10:30:43 +01:00
parent a159dc1c66
commit 37589dd8a0
4 changed files with 46 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
View File

@@ -5,6 +5,7 @@ import org.apache.http.HttpRequest;
import org.apache.http.client.HttpClient;
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicHttpRequest;
import org.apache.http.protocol.HttpContext;
import javax.servlet.ServletException;
@@ -24,7 +25,7 @@ public class ApacheHttpClientExecuteSSRF extends HttpServlet {
HttpRequest req = new BasicHttpRequest("GET", "/");
HttpUriRequest uriReq = (HttpUriRequest) (Object) source;
HttpContext context = null;
HttpClient client = null;
HttpClient client = HttpClients.createDefault();
ResponseHandler<Object> handler = null;
client.execute(host, req); // $ Alert

54
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
View File

@@ -1,12 +1,12 @@
#select
| ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
| ApacheHttpSSRF.java:30:43:30:45 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:30:43:30:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
| ApacheHttpSSRF.java:32:29:32:31 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:32:29:32:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
| ApacheHttpSSRF.java:34:26:34:28 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:34:26:34:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
@@ -385,18 +385,18 @@
| mad/Test.java:107:15:107:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:107:15:107:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
| mad/Test.java:112:15:112:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:112:15:112:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
edges
| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | provenance | Src:MaD:285 |
| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | provenance | Src:MaD:285 |
| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | provenance | Sink:MaD:228 |
| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | provenance | Sink:MaD:229 |
| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:230 |
| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:231 |
| ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | provenance | MaD:305 |
| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | provenance | Sink:MaD:232 |
| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | provenance | Sink:MaD:233 |
| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:234 |
| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:235 |
| ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | provenance | |
| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | provenance | Src:MaD:285 |
| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | provenance | Src:MaD:285 |
| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | provenance | Sink:MaD:228 |
| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:229 |
| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:230 |
| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | provenance | Sink:MaD:231 |
| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | provenance | MaD:305 |
| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | provenance | Sink:MaD:232 |
| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:233 |
| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:234 |
| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | provenance | Sink:MaD:235 |
| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | provenance | |
| ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:28:31:28:34 | sink : String | provenance | Src:MaD:285 |
| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:30:43:30:45 | uri | provenance | Sink:MaD:211 |
| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:32:29:32:31 | uri | provenance | Sink:MaD:217 |
@@ -1405,19 +1405,19 @@ models
| 304 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
| 305 | Summary: org.apache.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
nodes
| ApacheHttpClientExecuteSSRF.java:21:29:21:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ApacheHttpClientExecuteSSRF.java:23:29:23:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
| ApacheHttpClientExecuteSSRF.java:23:42:23:47 | source : String | semmle.label | source : String |
| ApacheHttpClientExecuteSSRF.java:25:37:25:68 | (...)... : String | semmle.label | (...)... : String |
| ApacheHttpClientExecuteSSRF.java:25:54:25:68 | (...)... : String | semmle.label | (...)... : String |
| ApacheHttpClientExecuteSSRF.java:30:28:30:31 | host | semmle.label | host |
| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | semmle.label | source : String |
| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | semmle.label | (...)... : String |
| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | semmle.label | (...)... : String |
| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | semmle.label | host |
| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | semmle.label | host |
| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | semmle.label | host |
| ApacheHttpClientExecuteSSRF.java:34:28:34:33 | uriReq | semmle.label | uriReq |
| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | semmle.label | host |
| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | semmle.label | uriReq |
| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | semmle.label | uriReq |
| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | semmle.label | uriReq |
| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | semmle.label | uriReq |
| ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| ApacheHttpSSRF.java:28:31:28:34 | sink : String | semmle.label | sink : String |

7
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java generated Normal file
View File

@@ -0,0 +1,7 @@
package org.apache.http.impl.client;
import org.apache.http.client.HttpClient;
public abstract class CloseableHttpClient implements HttpClient {
}

10
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java generated Normal file
View File

@@ -0,0 +1,10 @@
// Generated automatically from org.apache.http.client.HttpClient for testing purposes
package org.apache.http.impl.client;
import java.io.IOException;
import org.apache.http.impl.client.CloseableHttpClient;
public final class HttpClients {
public static CloseableHttpClient createDefault() { return null; }
}