add request forgery query

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -11,6 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.javase.URL
 import DataFlow::PathGraph
 
 class HTTPString extends StringLiteral {
@@ -29,18 +30,6 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLConstructor extends ClassInstanceExpr {
-  URLConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
-
-  Expr protocolArg() {
-    // In all cases except where the first parameter is a URL, the argument
-    // containing the protocol is the first one, otherwise it is the second.
-    if this.getConstructor().getParameter(0).getType().getName() = "URL"
-    then result = this.getArgument(1)
-    else result = this.getArgument(0)
-  }
-}
-
 class URLOpenMethod extends Method {
   URLOpenMethod() {
     this.getDeclaringType().getQualifiedName() = "java.net.URL" and

java/ql/src/experimental/CWE-918/RequestForgery.java

@@ -0,0 +1,20 @@
+import java.net.http.HttpClient;
+
+public class SSRF extends HttpServlet {
+	private static final String VALID_URI = "http://lgtm.com";
+	private HttpClient client = HttpClient.newHttpClient();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+		throws ServletException, IOException {
+		URI uri = new URI(request.getParameter("uri"));
+		// BAD: a request parameter is incorporated without validation into a Http request
+		HttpRequest r = HttpRequest.newBuilder(uri).build();
+		client.send(r, null);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_URI.equals(request.getParameter("uri"))) {
+			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+			client.send(r2, null);
+		}
+	}
+}

java/ql/src/experimental/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into a HTTP request without validating the input
+can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server. 
+</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against SSRF attacks, it is advisable to avoid putting user input
+directly into the request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the user input provided.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="RequestForgery.java" />
+
+</example>
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+
+</references>
+</qhelp>

java/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Server Sider Request Forgery (SSRF) from remote source
+ * @description Making web requests based on unvalidated user-input
+ *              may cause server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import RequestForgery::RequestForgery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryRemoteConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server side request forgery due to $@.",
+  source.getNode(), "a user-provided value"

java/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -0,0 +1,57 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.javase.URI
+import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+
+module RequestForgery {
+  import RequestForgeryCustomizations::RequestForgery
+
+  /**
+   * A taint-tracking configuration for reasoning about request forgery.
+   */
+  class RequestForgeryRemoteConfiguration extends TaintTracking::Configuration {
+    RequestForgeryRemoteConfiguration() { this = "Server Side Request Forgery" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      additionalStep(pred, succ)
+    }
+  }
+}
+
+predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // propagate to a URI when its host is assigned to
+  exists(UriConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a URL when its host is assigned to
+  exists(UrlConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a RequestEntity when its url is assigned to
+  exists(MethodAccess m |
+    m.getMethod().getDeclaringType() instanceof SpringRequestEntity and
+    (
+      m.getMethod().hasName(["get", "post", "head", "delete", "options", "patch", "put"]) and
+      m.getArgument(0) = pred.asExpr() and
+      m = succ.asExpr()
+    )
+    or
+    m.getMethod().hasName("method") and
+    m.getArgument(1) = pred.asExpr() and
+    m = succ.asExpr()
+  )
+  or
+  // propagate from a `RequestEntity<>$BodyBuilder` to a `RequestEntity`
+  // when the builder is tainted
+  exists(MethodAccess m, RefType t |
+    m.getMethod().getDeclaringType() = t and
+    t.hasQualifiedName("org.springframework.http", "RequestEntity<>$BodyBuilder") and
+    m.getMethod().hasName("body") and
+    m.getQualifier() = pred.asExpr() and
+    m = succ.asExpr()
+  )
+}

java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll

@@ -0,0 +1,137 @@
+/** A module to reason about request forgery vulnerabilities. */
+
+import java
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.javase.URI
+import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+
+/** A module to reason about request forgery vulnerabilities. */
+module RequestForgery {
+  /** A data flow sink for request forgery vulnerabilities. */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * An argument to an url `openConnection` or `openStream` call
+   *  taken as a sink for request forgery vulnerabilities.
+   */
+  private class UrlOpen extends Sink {
+    UrlOpen() {
+      exists(MethodAccess ma |
+        ma.getMethod() instanceof UrlOpenConnectionMethod or
+        ma.getMethod() instanceof UrlOpenStreamMethod
+      |
+        this.asExpr() = ma.getQualifier()
+      )
+    }
+  }
+
+  /**
+   * An argument to an Apache `setURI` call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheSetUri extends Sink {
+    ApacheSetUri() {
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof TypeApacheHttpRequest and
+        ma.getMethod().hasName("setURI")
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to any Apache Request Instantiation call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheHttpRequestInstantiation extends Sink {
+    ApacheHttpRequestInstantiation() {
+      exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest |
+        this.asExpr() = c.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to a Apache RequestBuilder method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheHttpRequestBuilderArgument extends Sink {
+    ApacheHttpRequestBuilderArgument() {
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
+        ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to any Java.net.http.request Instantiation call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class HttpRequestNewBuilder extends Sink {
+    HttpRequestNewBuilder() {
+      exists(MethodAccess call |
+        call.getCallee().hasName("newBuilder") and
+        call.getMethod().getDeclaringType().getName() = "HttpRequest"
+      |
+        this.asExpr() = call.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to an Http Builder `uri` call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class HttpBuilderUriArgument extends Sink {
+    HttpBuilderUriArgument() {
+      exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to a Spring Rest Template method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class SpringRestTemplateArgument extends Sink {
+    SpringRestTemplateArgument() {
+      exists(MethodAccess ma |
+        this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
+      )
+    }
+  }
+
+  /**
+   * An argument to `javax.ws.rs.Client`s `target` method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class JaxRsClientTarget extends Sink {
+    JaxRsClientTarget() {
+      exists(MethodAccess ma, JaxRsClient t |
+        // ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and
+        ma.getMethod().getDeclaringType() instanceof JaxRsClient and
+        ma.getMethod().hasName("target")
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * A URI argument to `org.springframework.http.RequestEntity`s constructor call
+   *   taken as a sink for request forgery vulnerabilities.
+   */
+  private class RequestEntityUriArg extends Sink {
+    RequestEntityUriArg() {
+      exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr())
+    }
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -10,6 +10,7 @@
 
 import java
 import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
@@ -21,19 +22,6 @@ private string getPrivateHostRegex() {
     "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
 }
 
-/**
- * The Java class `org.apache.http.client.methods.HttpRequestBase`. Popular subclasses include `HttpGet`, `HttpPost`, and `HttpPut`.
- * And the Java class `org.apache.http.message.BasicHttpRequest`.
- */
-class ApacheHttpRequest extends RefType {
-  ApacheHttpRequest() {
-    this
-        .getASourceSupertype*()
-        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
-    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
-  }
-}
-
 /**
  * Class of Java URL constructor.
  */
@@ -167,7 +155,7 @@ class HttpURLOpenMethod extends Method {
 /** Constructor of `ApacheHttpRequest` */
 predicate apacheHttpRequest(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
-    cc.getConstructedType() instanceof ApacheHttpRequest and
+    cc.getConstructedType() instanceof TypeApacheHttpRequestBase and
     node2.asExpr() = cc and
     cc.getAnArgument() = node1.asExpr()
   )

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -13,3 +13,32 @@ class ApacheHttpEntityGetContent extends Method {
     this.getName() = "getContent"
   }
 }
+
+/**
+ *  A class derived from the `HttpRequestBase` or the `BasicHttpRequest`
+ *  class of the Apache Http Client `org.apache.http` library
+ */
+class TypeApacheHttpRequestBase extends RefType {
+  TypeApacheHttpRequestBase() {
+    this
+        .getASourceSupertype*()
+        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
+    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
+  }
+}
+
+/*
+ * Any class which can be used to make an HTTP request using the Apache Http Client library
+ * Examples include `HttpGet`,`HttpPost` etc.
+ */
+
+class TypeApacheHttpRequest extends Class {
+  TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) }
+}
+
+/* A class representing the `RequestBuilder` class of the Apache Http Client library */
+class TypeApacheHttpRequestBuilder extends Class {
+  TypeApacheHttpRequestBuilder() {
+    hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
+  }
+}

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

@@ -170,6 +170,13 @@ class JaxRsResponseBuilder extends Class {
   JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
 }
 
+/**
+ * The class `javax.ws.rs.client.Client`
+ */
+class JaxRsClient extends RefType {
+  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+}
+
 /**
  * A constructor that may be called by a JaxRS container to construct an instance to inject into a
  * resource method or resource class constructor.

java/ql/src/semmle/code/java/frameworks/javase/Http.qll

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/** A class representing `HttpRequest.Builder`. */
+class TypeHttpRequestBuilder extends Interface {
+  TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
+}
+
+/** A class representing `java.net.http.HttpRequest`. */
+class TypeHttpRequest extends Interface {
+  TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
+}
+
+/** A class representing `java.net.http.HttpRequest$Builder`'s `uri` method. */
+class HttpBuilderUri extends Method {
+  HttpBuilderUri() {
+    this.getDeclaringType() instanceof TypeHttpRequestBuilder and
+    this.getName() = "uri"
+  }
+}

java/ql/src/semmle/code/java/frameworks/javase/URI.qll

@@ -0,0 +1,43 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/** Any expresion or call which returns a new URI.*/
+abstract class UriCreation extends Top {
+  /**
+   * Returns the host of the newly created URI.
+   *  In the case where the host is specified separately, this returns only the host.
+   *  In the case where the uri is parsed from an input string,
+   *  such as in `URI(`http://foo.com/mypath')`,
+   *  this returns the entire argument passed i.e. `http://foo.com/mypath'.
+   */
+
+  abstract Expr hostArg();
+}
+
+/** An URI constructor expression */
+class UriConstructor extends ClassInstanceExpr, UriCreation {
+  UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
+
+  override Expr hostArg() {
+    // URI​(String str)
+    result = this.getArgument(0) and this.getNumArgument() = 1
+    or
+    // URI(String scheme, String ssp, String fragment)
+    // URI​(String scheme, String host, String path, String fragment)
+    // URI​(String scheme, String authority, String path, String query, String fragment)
+    result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
+    or
+    // URI​(String scheme, String userInfo, String host, int port, String path, String query,
+    //    String fragment)
+    result = this.getArgument(2) and this.getNumArgument() = 7
+  }
+}
+
+class UriCreate extends Call, UriCreation {
+  UriCreate() {
+    this.getCallee().getName() = "create" and
+    this.getCallee().getDeclaringType() instanceof TypeUri
+  }
+
+  override Expr hostArg() { result = this.getArgument(0) }
+}

java/ql/src/semmle/code/java/frameworks/javase/URL.qll

@@ -0,0 +1,47 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/* Am URL constructor expression */
+class UrlConstructor extends ClassInstanceExpr {
+  UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
+
+  Expr hostArg() {
+    // URL(String spec)
+    this.getNumArgument() = 1 and result = this.getArgument(0)
+    or
+    // URL(String protocol, String host, int port, String file)
+    // URL(String protocol, String host, int port, String file, URLStreamHandler handler)
+    this.getNumArgument() = [4,5] and result = this.getArgument(1)
+    or
+    // URL(String protocol, String host, String file)
+    // but not
+    // URL(URL context, String spec, URLStreamHandler handler)
+    (
+      this.getNumArgument() = 3 and
+      this.getConstructor().getParameter(2).getType() instanceof TypeString
+    ) and
+    result = this.getArgument(1)
+  }
+
+  Expr protocolArg() {
+    // In all cases except where the first parameter is a URL, the argument
+    // containing the protocol is the first one, otherwise it is the second.
+    if this.getConstructor().getParameter(0).getType().getName() = "URL"
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+}
+
+class UrlOpenStreamMethod extends Method {
+  UrlOpenStreamMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openStream"
+  }
+}
+
+class UrlOpenConnectionMethod extends Method {
+  UrlOpenConnectionMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openConnection"
+  }
+}

java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll

@@ -4,6 +4,7 @@
  */
 
 import java
+import semmle.code.java.frameworks.Networking
 
 /** The class `org.springframework.http.HttpEntity` or an instantiation of it. */
 class SpringHttpEntity extends Class {
@@ -38,3 +39,17 @@ class SpringResponseEntityBodyBuilder extends Interface {
 class SpringHttpHeaders extends Class {
   SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") }
 }
+
+/** Models `org.springframework.http.RequestEntity`s instantiation expressions. */
+class SpringRequestEntityInstanceExpr extends ClassInstanceExpr {
+  int numArgs;
+
+  SpringRequestEntityInstanceExpr() {
+    this.getConstructedType() instanceof SpringRequestEntity and
+    numArgs = this.getNumArgument()
+  }
+
+  Argument getUriArg() {
+    exists(Argument a | this.getAnArgument() = a and a.getType() instanceof TypeUri | result = a)
+  }
+}

java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll

@@ -27,3 +27,116 @@ class SpringWebClient extends Interface {
     this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient")
   }
 }
+
+/**
+ * An abstract class representing all Spring Rest Template methods
+ * which take an URL as an argument.
+ */
+abstract class SpringRestTemplateUrlMethods extends Method {
+  /** Gets the argument which corresponds to a URL */
+  abstract Argument getUrlArgument(MethodAccess ma);
+}
+
+/** Models `RestTemplate` class's `doExecute` method */
+class RestTemplateDoExecute extends SpringRestTemplateUrlMethods {
+  RestTemplateDoExecute() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("doExecute")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) {
+    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    //  ResponseExtractor<T> responseExtractor)
+    result = ma.getArgument(0)
+  }
+}
+
+/** Models `RestTemplate` class's `exchange` method */
+class RestTemplateExchange extends SpringRestTemplateUrlMethods {
+  RestTemplateExchange() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("exchange")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `execute` method */
+class RestTemplateExecute extends SpringRestTemplateUrlMethods {
+  RestTemplateExecute() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("execute")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `getForEntity` method */
+class RestTemplateGetForEntity extends SpringRestTemplateUrlMethods {
+  RestTemplateGetForEntity() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("getForEntity")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `getForObject` method */
+class RestTemplateGetForObject extends SpringRestTemplateUrlMethods {
+  RestTemplateGetForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("getForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `patchForObject` method */
+class RestTemplatePatchForObject extends SpringRestTemplateUrlMethods {
+  RestTemplatePatchForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("patchForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForEntity` method */
+class RestTemplatePostForEntity extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForEntity() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForEntity")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForLocation` method */
+class RestTemplatePostForLocation extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForLocation() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForLocation")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForObject` method */
+class RestTemplatePostForObject extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `put` method */
+class RestTemplatePut extends SpringRestTemplateUrlMethods {
+  RestTemplatePut() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("put")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}

java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java

@@ -0,0 +1,11 @@
+import javax.ws.rs.client.*;
+
+public class JaxWsSSRF {
+    public static void main(String[] args) {
+        Client client = ClientBuilder.newClient();
+        String url = args[1];
+        client.target(url);
+    }
+}
+
+

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected

@@ -0,0 +1,64 @@
+edges
+| JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl |
+| SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl |
+nodes
+| JaxWsSSRF.java:4:29:4:41 | args : String[] | semmle.label | args : String[] |
+| JaxWsSSRF.java:7:23:7:25 | url | semmle.label | url |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
+| RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
+| RequestForgery2.java:59:30:59:33 | url1 | semmle.label | url1 |
+| RequestForgery2.java:63:65:63:68 | uri2 | semmle.label | uri2 |
+| RequestForgery2.java:64:59:64:61 | uri | semmle.label | uri |
+| RequestForgery2.java:67:43:67:45 | uri | semmle.label | uri |
+| RequestForgery2.java:69:29:69:32 | uri2 | semmle.label | uri2 |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
+| RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
+| SpringSSRF.java:11:29:11:41 | args : String[] | semmle.label | args : String[] |
+| SpringSSRF.java:17:73:17:93 | ... + ... | semmle.label | ... + ... |
+| SpringSSRF.java:21:69:21:82 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:25:68:25:81 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:28:73:28:86 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:36:59:36:72 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:39:74:39:96 | new URI(...) | semmle.label | new URI(...) |
+| SpringSSRF.java:43:57:43:70 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:46:58:46:71 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:49:30:49:43 | fooResourceUrl | semmle.label | fooResourceUrl |
+#select
+| JaxWsSSRF.java:7:23:7:25 | url | JaxWsSSRF.java:4:29:4:41 | args : String[] | JaxWsSSRF.java:7:23:7:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:4:29:4:41 | args | a user-provided value |
+| RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:63:65:63:68 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:64:59:64:61 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:67:43:67:45 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
+| RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:17:73:17:93 | ... + ... | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:17:73:17:93 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:21:69:21:82 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:21:69:21:82 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:25:68:25:81 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:25:68:25:81 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:28:73:28:86 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:28:73:28:86 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:36:59:36:72 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:36:59:36:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:39:74:39:96 | new URI(...) | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:39:74:39:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:43:57:43:70 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:43:57:43:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:46:58:46:71 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:46:58:46:71 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |
+| SpringSSRF.java:49:30:49:43 | fooResourceUrl | SpringSSRF.java:11:29:11:41 | args : String[] | SpringSSRF.java:49:30:49:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:11:29:11:41 | args | a user-provided value |

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.java

@@ -0,0 +1,34 @@
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class RequestForgery extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            URI uri = new URI(request.getParameter("uri"));
+            // BAD: a request parameter is incorporated without validation into a Http
+            // request
+            HttpRequest r = HttpRequest.newBuilder(uri).build();
+            client.send(r, null);
+
+            // GOOD: the request parameter is validated against a known fixed string
+            if (VALID_URI.equals(request.getParameter("uri"))) {
+                HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+                client.send(r2, null);
+            }
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref

@@ -0,0 +1 @@
+experimental/CWE-918/RequestForgery.ql

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery2.java

@@ -0,0 +1,84 @@
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class RequestForgery2 extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            // URI(String str)
+            URI uri = new URI(sink);
+
+            // URI(String scheme, String ssp, String fragment)
+            URI uri2 = new URI("http", sink, "fragement");
+
+            // URI(String scheme, String userInfo, String host, int port, String path,
+            // String query, String fragment)
+            URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
+            // URI(String scheme, String host, String path, String fragment)
+            URI uri4 = new URI("http", "host", "path", "fragment");
+            // URI(String scheme, String authority, String path, String query, String
+            // fragment)
+            URI uri5 = new URI("http", "authority", "path", "query", "fragment");
+            URI uri6 = URI.create("http://foo.com/");
+
+            // URL(String spec)
+            URL url1 = new URL(sink);
+            // URL(String protocol, String host, int port, String file)
+            URL url2 = new URL("http", "host", 1, "file");
+            // URL(String protocol, String host, String file)
+            URL url3 = new URL("http", "host", "file");
+            // URL(URL context, String spec)
+            URL url4 = new URL(url3, "http");
+            // URL(String protocol, String host, int port, String file, URLStreamHandler
+            // handler)
+            URL url5 = new URL("http", "host", 1, "file", new Helper2());
+
+            // URL(URL context, String spec, URLStreamHandler handler)
+            URL url6 = new URL(url3, "spec", new Helper2());
+
+            URLConnection c1 = url1.openConnection();
+            SocketAddress sa = new SocketAddress() {
+            };
+            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
+            InputStream c3 = url1.openStream();
+
+            // java.net.http
+            HttpClient client = HttpClient.newHttpClient();
+            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
+            HttpRequest request3 = HttpRequest.newBuilder(uri).build();
+
+            // Apache HTTPlib
+            HttpGet httpGet = new HttpGet(uri);
+            HttpGet httpGet2 = new HttpGet();
+            httpGet2.setURI(uri2);
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}
+
+
+class Helper2 extends URLStreamHandler {
+    Helper2() {
+    }
+
+    protected URLConnection openConnection(URL u) throws IOException {
+        return null;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/Sinks.java

@@ -0,0 +1,72 @@
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Proxy;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.net.Proxy.Type;
+import org.apache.http.client.methods.HttpGet;
+// import java.net.http.HttpClient;
+// import java.net.http.HttpRequest;
+
+public class Sinks {
+    public static void main(String[] args) throws Exception {
+        // URI(String str)
+        URI uri = new URI("uri1");
+
+        // URI(String scheme, String ssp, String fragment)
+        URI uri2 = new URI("http", "ssp", "fragement");
+
+        // URI(String scheme, String userInfo, String host, int port, String path,
+        // String query, String fragment)
+        URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
+        // URI(String scheme, String host, String path, String fragment)
+        URI uri4 = new URI("http", "host", "path", "fragment");
+        // URI(String scheme, String authority, String path, String query, String
+        // fragment)
+        URI uri5 = new URI("http", "authority", "path", "query", "fragment");
+        URI uri6 = URI.create("http://foo.com/");
+
+        // URL(String spec)
+        URL url1 = new URL("spec");
+        // URL(String protocol, String host, int port, String file)
+        URL url2 = new URL("http", "host", 1, "file");
+        // URL(String protocol, String host, String file)
+        URL url3 = new URL("http", "host", "file");
+        // URL(URL context, String spec)
+        URL url4 = new URL(url3, "http");
+        // URL(String protocol, String host, int port, String file, URLStreamHandler
+        // handler)
+        URL url5 = new URL("http", "host", 1, "file", new Helper());
+
+        // URL(URL context, String spec, URLStreamHandler handler)
+        URL url6 = new URL(url3, "spec", new Helper());
+
+        URLConnection c1 = url1.openConnection();
+        SocketAddress sa = new SocketAddress() {
+        };
+        URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
+        InputStream c3 = url1.openStream();
+
+        // java.net.http
+        // HttpClient client = HttpClient.newHttpClient();
+        // HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
+        // HttpRequest request3 = HttpRequest.newBuilder(uri).build();
+
+        // Apache HTTPlib
+        HttpGet httpGet = new HttpGet(uri);
+        HttpGet httpGet2 = new HttpGet();
+        httpGet2.setURI(uri2);
+
+    }
+
+}
+
+class Helper extends URLStreamHandler {
+    @Override
+    protected URLConnection openConnection(URL arg0) throws IOException {
+        return null;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java

@@ -0,0 +1,52 @@
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpStatus;
+import java.net.URI;
+import org.springframework.http.HttpMethod;
+
+public class SpringSSRF {
+
+    public static void main(String[] args) throws Exception {
+        RestTemplate restTemplate = new RestTemplate();
+        String fooResourceUrl = args[1];
+        HttpEntity<String> request = new HttpEntity<>(new String("bar"));
+
+        {
+            ResponseEntity<String> response = restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
+        }
+
+        {
+            ResponseEntity<String> response = restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request,
+                    String.class);
+        }
+        {
+            ResponseEntity<String> response = restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
+        }
+        {
+            ResponseEntity<String> response = restTemplate.getForEntity(fooResourceUrl, String.class, "test");
+        }
+        {
+            String body = new String("body");
+            RequestEntity<String> requestEntity = RequestEntity.post(new URI(fooResourceUrl)).body(body);
+            ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
+        }
+        {
+            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi");
+        }
+        {
+            ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"),
+                    String.class);
+        }
+        {
+            URI response = restTemplate.postForLocation(fooResourceUrl, new String("object"));
+        }
+        {
+            String response = restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
+        }
+        {
+            restTemplate.put(fooResourceUrl, new String("object"));
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/apache-httpclient-4.5.12/:${testdir}/../../../../stubs/servlet-api-2.4/

java/ql/test/experimental/stubs/apache-httpclient-4.5.12/org/apache/http/client/methods/HttpGet.java

@@ -0,0 +1,19 @@
+package org.apache.http.client.methods;
+
+public class HttpGet extends org.apache.http.client.methods.HttpRequestBase {
+
+  public static final java.lang.String METHOD_NAME = "GET";
+
+  public HttpGet() {
+  }
+
+  public HttpGet(java.net.URI uri) {
+  }
+
+  public HttpGet(java.lang.String uri) {
+  }
+
+  public java.lang.String getMethod() {
+    return null;
+  }
+}

java/ql/test/experimental/stubs/apache-httpclient-4.5.12/org/apache/http/client/methods/HttpRequestBase.java

@@ -0,0 +1,17 @@
+package org.apache.http.client.methods;
+
+public abstract class HttpRequestBase {
+
+    private java.net.URI uri;
+
+    public HttpRequestBase() {
+    }
+
+    public java.net.URI getURI() {
+        return null;
+    }
+
+    public void setURI(java.net.URI uri) {
+    }
+
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java

@@ -0,0 +1,12 @@
+package javax.ws.rs.client;
+
+public abstract interface Client extends javax.ws.rs.core.Configurable {
+
+    public abstract javax.ws.rs.client.WebTarget target(java.lang.String arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(java.net.URI arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.UriBuilder arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.Link arg0);
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java

@@ -0,0 +1,19 @@
+package javax.ws.rs.client;
+
+public abstract class ClientBuilder implements javax.ws.rs.core.Configurable {
+
+    protected ClientBuilder() {
+    }
+
+    public static javax.ws.rs.client.ClientBuilder newBuilder() {
+        return null;
+    }
+
+    public static javax.ws.rs.client.Client newClient() {
+        return null;
+    }
+
+    public static javax.ws.rs.client.Client newClient(javax.ws.rs.core.Configuration configuration) {
+        return null;
+    }
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java

@@ -0,0 +1,4 @@
+package javax.ws.rs.client;
+
+public abstract interface WebTarget extends javax.ws.rs.core.Configurable {
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java

@@ -0,0 +1,6 @@
+package javax.ws.rs.core;
+
+public abstract interface Configurable<C extends javax.ws.rs.core.Configurable> {
+
+    public abstract javax.ws.rs.core.Configuration getConfiguration();
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java

@@ -0,0 +1,3 @@
+package javax.ws.rs.core;
+
+public abstract interface Configuration {}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java

@@ -0,0 +1,61 @@
+package javax.ws.rs.core;
+
+public abstract class Link {
+
+    public static final java.lang.String TITLE = "title";
+
+    public static final java.lang.String REL = "rel";
+
+    public static final java.lang.String TYPE = "type";
+
+    public Link() {
+    }
+
+    public abstract java.net.URI getUri();
+
+    public abstract javax.ws.rs.core.UriBuilder getUriBuilder();
+
+    public abstract java.lang.String getRel();
+
+    public abstract java.util.List<java.lang.String> getRels();
+
+    public abstract java.lang.String getTitle();
+
+    public abstract java.lang.String getType();
+
+    public abstract java.util.Map<java.lang.String, java.lang.String> getParams();
+
+    public abstract java.lang.String toString();
+
+    public static javax.ws.rs.core.Link valueOf(java.lang.String value) {
+        return null;
+    }
+
+    // public static javax.ws.rs.core.Link.Builder fromUri(java.net.URI uri) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromUri(java.lang.String uri) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromUriBuilder(javax.ws.rs.core.UriBuilder uriBuilder) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromLink(javax.ws.rs.core.Link link) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromPath(java.lang.String path) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromResource(java.lang.Class<?> resource) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
+    //     return null;
+    // }
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java

@@ -0,0 +1,62 @@
+// Failed to get sources. Instead, stub sources have been generated by the disassembler.
+// Implementation of methods is unavailable.
+package javax.ws.rs.core;
+
+public abstract class UriBuilder {
+
+    protected UriBuilder() {
+    }
+
+    protected static javax.ws.rs.core.UriBuilder newInstance() {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromUri(java.net.URI uri) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromUri(java.lang.String uriTemplate) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromLink(javax.ws.rs.core.Link link) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromPath(java.lang.String path)
+            throws java.lang.IllegalArgumentException {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromResource(java.lang.Class<?> resource) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
+        return null;
+    }
+
+    public abstract javax.ws.rs.core.UriBuilder clone();
+
+    public abstract javax.ws.rs.core.UriBuilder uri(java.net.URI arg0);
+
+    public abstract javax.ws.rs.core.UriBuilder uri(java.lang.String arg0);
+
+    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0);
+
+    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0, boolean arg1)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI buildFromEncodedMap(java.util.Map<java.lang.String, ?> arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI build(java.lang.Object... arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI build(java.lang.Object[] arg0, boolean arg1)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI buildFromEncoded(java.lang.Object... arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java

@@ -0,0 +1,18 @@
+package javax.ws.rs.core;
+
+public class UriBuilderException extends java.lang.RuntimeException {
+
+    private static final long serialVersionUID = 956255913370721193L;
+
+    public UriBuilderException() {
+    }
+
+    public UriBuilderException(java.lang.String msg) {
+    }
+
+    public UriBuilderException(java.lang.String msg, java.lang.Throwable cause) {
+    }
+
+    public UriBuilderException(java.lang.Throwable cause) {
+    }
+}

java/ql/test/library-tests/frameworks/javase/Uri.java

@@ -0,0 +1,59 @@
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Proxy;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.net.Proxy.Type;
+
+public class Uri {
+    public static void main(String[] args) throws Exception {
+        // URI(String str)
+        URI uri = new URI("uri1");
+
+        // URI(String scheme, String ssp, String fragment)
+        URI ur2 = new URI("http", "ssp", "fragement");
+
+        // URI(String scheme, String userInfo, String host, int port, String path,
+        // String query, String fragment)
+        URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
+        // URI(String scheme, String host, String path, String fragment)
+        URI uri4 = new URI("http", "host", "path", "fragment");
+        // URI(String scheme, String authority, String path, String query, String
+        // fragment)
+        URI uri5 = new URI("http", "authority", "path", "query", "fragment");
+
+        // URI.create​(String str)
+        URI uri6 = URI.create("http://foo.com/");
+
+        // URL(String spec)
+        URL url1 = new URL("spec");
+        // URL(String protocol, String host, int port, String file)
+        URL url2 = new URL("http", "host", 1, "file");
+        // URL(String protocol, String host, String file)
+        URL url3 = new URL("http", "host", "file");
+        // URL(URL context, String spec)
+        URL url4 = new URL(url3, "http");
+        // URL(String protocol, String host, int port, String file, URLStreamHandler
+        // handler)
+        URL url5 = new URL("http", "host", 1, "file", new Helper());
+
+        // URL(URL context, String spec, URLStreamHandler handler)
+        URL url6 = new URL(url3, "spec", new Helper());
+
+        URLConnection c1 = url1.openConnection();
+        SocketAddress sa = new SocketAddress() {
+        };
+        URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
+        InputStream c3 = url1.openStream();
+    }
+}
+
+class Helper extends URLStreamHandler {
+    @Override
+    protected URLConnection openConnection(URL arg0) throws IOException {
+        return null;
+    }
+}

java/ql/test/library-tests/frameworks/javase/openConnection.expected

@@ -0,0 +1,2 @@
+| Uri.java:46:28:46:48 | openConnection(...) |
+| Uri.java:49:28:49:72 | openConnection(...) |

java/ql/test/library-tests/frameworks/javase/openConnection.ql

@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.frameworks.javase.URL
+
+from UrlOpenConnectionMethod m
+select m.getAReference()

java/ql/test/library-tests/frameworks/javase/openStream.expected

@@ -0,0 +1 @@
+| Uri.java:50:26:50:42 | openStream(...) |

java/ql/test/library-tests/frameworks/javase/openStream.ql

@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.frameworks.javase.URL
+
+from UrlOpenStreamMethod m
+select m.getAReference()

java/ql/test/library-tests/frameworks/javase/uri.expected

@@ -0,0 +1,6 @@
+| Uri.java:14:19:14:33 | new URI(...) | Uri.java:14:27:14:32 | "uri1" |
+| Uri.java:17:19:17:53 | new URI(...) | Uri.java:17:35:17:39 | "ssp" |
+| Uri.java:21:20:21:86 | new URI(...) | Uri.java:21:48:21:53 | "host" |
+| Uri.java:23:20:23:62 | new URI(...) | Uri.java:23:36:23:41 | "host" |
+| Uri.java:26:20:26:76 | new URI(...) | Uri.java:26:36:26:46 | "authority" |
+| Uri.java:29:20:29:48 | create(...) | Uri.java:29:31:29:47 | "http://foo.com/" |

java/ql/test/library-tests/frameworks/javase/uri.ql

@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.frameworks.javase.URI
+
+from UriCreation c
+select c, c.hostArg()

java/ql/test/library-tests/frameworks/javase/url.expected

@@ -0,0 +1,4 @@
+| Uri.java:32:20:32:34 | new URL(...) | Uri.java:32:28:32:33 | "spec" |
+| Uri.java:34:20:34:53 | new URL(...) | Uri.java:34:36:34:41 | "host" |
+| Uri.java:36:20:36:50 | new URL(...) | Uri.java:36:36:36:41 | "host" |
+| Uri.java:41:20:41:67 | new URL(...) | Uri.java:41:36:41:41 | "host" |

java/ql/test/library-tests/frameworks/javase/url.ql

@@ -0,0 +1,5 @@
+import java
+import semmle.code.java.frameworks.javase.URL
+
+from UrlConstructor c
+select c, c.hostArg()

java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletInputStream.java

@@ -30,5 +30,6 @@ public abstract class ServletInputStream extends InputStream {
     protected ServletInputStream() {
     }
     public int readLine(byte[] b, int off, int len) throws IOException {
+        return 0;
     }
 }

java/ql/test/stubs/springframework-5.2.3/org/springframework/core/ParameterizedTypeReference.java

@@ -0,0 +1,27 @@
+package org.springframework.core;
+
+public abstract class ParameterizedTypeReference<T> {
+    public java.lang.reflect.Type getType() {
+        return null;
+    }
+
+    public boolean equals(java.lang.Object other) {
+        return false;
+    }
+
+    public int hashCode() {
+        return 0;
+    }
+
+    public java.lang.String toString() {
+        return null;
+    }
+
+    public static <T> org.springframework.core.ParameterizedTypeReference<T> forType(java.lang.reflect.Type type) {
+        return null;
+    }
+
+    private static java.lang.Class<?> findParameterizedTypeReferenceSubclass(java.lang.Class<?> child) {
+        return null;
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpEntity.java

@@ -0,0 +1,40 @@
+package org.springframework.http;
+
+public class HttpEntity<T> {
+
+    protected HttpEntity() {
+    }
+
+    public HttpEntity(T body) {
+    }
+
+    public HttpEntity(org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers) {
+    }
+
+    public HttpEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers) {
+    }
+
+    public org.springframework.http.HttpHeaders getHeaders() {
+        return null;
+    }
+
+    public T getBody() {
+        return null;
+    }
+
+    public boolean hasBody() {
+        return false;
+    }
+
+    public boolean equals(java.lang.Object other) {
+        return false;
+    }
+
+    public int hashCode() {
+        return 0;
+    }
+
+    public java.lang.String toString() {
+        return null;
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpHeaders.java

@@ -0,0 +1,4 @@
+package org.springframework.http;
+
+public class HttpHeaders implements java.io.Serializable {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpMethod.java

@@ -0,0 +1,20 @@
+package org.springframework.http;
+
+public enum HttpMethod {
+
+    GET,
+
+    HEAD,
+
+    POST,
+
+    PUT,
+
+    PATCH,
+
+    DELETE,
+
+    OPTIONS,
+
+    TRACE,
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpStatus.java

@@ -0,0 +1,147 @@
+package org.springframework.http;
+
+public enum HttpStatus {
+
+    CONTINUE,
+
+    SWITCHING_PROTOCOLS,
+
+    PROCESSING,
+
+    CHECKPOINT,
+
+    OK,
+
+    CREATED,
+
+    ACCEPTED,
+
+    NON_AUTHORITATIVE_INFORMATION,
+
+    NO_CONTENT,
+
+    RESET_CONTENT,
+
+    PARTIAL_CONTENT,
+
+    MULTI_STATUS,
+
+    ALREADY_REPORTED,
+
+    IM_USED,
+
+    MULTIPLE_CHOICES,
+
+    MOVED_PERMANENTLY,
+
+    FOUND,
+
+    @java.lang.Deprecated
+    MOVED_TEMPORARILY,
+
+    SEE_OTHER,
+
+    NOT_MODIFIED,
+
+    @java.lang.Deprecated
+    USE_PROXY,
+
+    TEMPORARY_REDIRECT,
+
+    PERMANENT_REDIRECT,
+
+    BAD_REQUEST,
+
+    UNAUTHORIZED,
+
+    PAYMENT_REQUIRED,
+
+    FORBIDDEN,
+
+    NOT_FOUND,
+
+    METHOD_NOT_ALLOWED,
+
+    NOT_ACCEPTABLE,
+
+    PROXY_AUTHENTICATION_REQUIRED,
+
+    REQUEST_TIMEOUT,
+
+    CONFLICT,
+
+    GONE,
+
+    LENGTH_REQUIRED,
+
+    PRECONDITION_FAILED,
+
+    PAYLOAD_TOO_LARGE,
+
+    @java.lang.Deprecated
+    REQUEST_ENTITY_TOO_LARGE,
+
+    URI_TOO_LONG,
+
+    @java.lang.Deprecated
+    REQUEST_URI_TOO_LONG,
+
+    UNSUPPORTED_MEDIA_TYPE,
+
+    REQUESTED_RANGE_NOT_SATISFIABLE,
+
+    EXPECTATION_FAILED,
+
+    I_AM_A_TEAPOT,
+
+    @java.lang.Deprecated
+    INSUFFICIENT_SPACE_ON_RESOURCE,
+
+    @java.lang.Deprecated
+    METHOD_FAILURE,
+
+    @java.lang.Deprecated
+    DESTINATION_LOCKED,
+
+    UNPROCESSABLE_ENTITY,
+
+    LOCKED,
+
+    FAILED_DEPENDENCY,
+
+    TOO_EARLY,
+
+    UPGRADE_REQUIRED,
+
+    PRECONDITION_REQUIRED,
+
+    TOO_MANY_REQUESTS,
+
+    REQUEST_HEADER_FIELDS_TOO_LARGE,
+
+    UNAVAILABLE_FOR_LEGAL_REASONS,
+
+    INTERNAL_SERVER_ERROR,
+
+    NOT_IMPLEMENTED,
+
+    BAD_GATEWAY,
+
+    SERVICE_UNAVAILABLE,
+
+    GATEWAY_TIMEOUT,
+
+    HTTP_VERSION_NOT_SUPPORTED,
+
+    VARIANT_ALSO_NEGOTIATES,
+
+    INSUFFICIENT_STORAGE,
+
+    LOOP_DETECTED,
+
+    BANDWIDTH_LIMIT_EXCEEDED,
+
+    NOT_EXTENDED,
+
+    NETWORK_AUTHENTICATION_REQUIRED,
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/RequestEntity.java

@@ -0,0 +1,70 @@
+package org.springframework.http;
+
+public class RequestEntity<T> extends org.springframework.http.HttpEntity {
+
+    public RequestEntity(org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.http.HttpMethod method, java.net.URI url,
+            java.lang.reflect.Type type) {
+    }
+
+    public RequestEntity(org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url, java.lang.reflect.Type type) {
+    }
+
+    public java.net.URI getUrl() {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder method(org.springframework.http.HttpMethod method,
+            java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder get(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder head(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder post(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder put(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder patch(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder delete(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder options(java.net.URI url) {
+        return null;
+    }
+
+    class HeadersBuilder<K> {
+    }
+
+    public class BodyBuilder<T> {
+        public RequestEntity<T> body(Object body){return null;};
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/ResponseEntity.java

@@ -0,0 +1,12 @@
+package org.springframework.http;
+
+public class ResponseEntity<T> extends org.springframework.http.HttpEntity {
+
+    // private final java.lang.Object status;
+
+    // public ResponseEntity(org.springframework.http.HttpStatus status) {
+    // }
+
+    // public ResponseEntity(T body, org.springframework.http.HttpStatus status) {
+    // }
+ }

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/client/ClientHttpResponse.java

@@ -0,0 +1,12 @@
+package org.springframework.http.client;
+
+public abstract interface ClientHttpResponse {
+
+    public abstract org.springframework.http.HttpStatus getStatusCode() throws java.io.IOException;
+
+    public abstract int getRawStatusCode() throws java.io.IOException;
+
+    public abstract java.lang.String getStatusText() throws java.io.IOException;
+
+    public abstract void close();
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RequestCallback.java

@@ -0,0 +1,4 @@
+package org.springframework.web.client;
+
+public abstract interface RequestCallback {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/ResponseExtractor.java

@@ -0,0 +1,4 @@
+package org.springframework.web.client;
+
+public abstract interface ResponseExtractor<K> {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RestClientException.java

@@ -0,0 +1,12 @@
+package org.springframework.web.client;
+
+public class RestClientException extends Exception {
+
+    private static final long serialVersionUID = -4084444984163796577L;
+
+    public RestClientException(java.lang.String msg) {
+    }
+
+    public RestClientException(java.lang.String msg, java.lang.Throwable ex) {
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RestTemplate.java

@@ -0,0 +1,237 @@
+package org.springframework.web.client;
+
+public class RestTemplate {
+
+    public <T> T getForObject(java.lang.String url, java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T getForObject(java.lang.String url, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T getForObject(java.net.URI url, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.lang.String url,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.lang.String url,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.net.URI url,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.lang.String url, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.lang.String url,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.net.URI url)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.lang.String url, java.lang.Object request,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.lang.String url, java.lang.Object request,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.net.URI url, java.lang.Object request)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.net.URI url, java.lang.Object request, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.lang.String url, java.lang.Object request,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.lang.String url, java.lang.Object request,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.net.URI url, java.lang.Object request,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public void put(java.lang.String url, java.lang.Object request, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void put(java.lang.String url, java.lang.Object request, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void put(java.net.URI url, java.lang.Object request)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public <T> T patchForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T patchForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T patchForObject(java.net.URI url, java.lang.Object request, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public void delete(java.lang.String url, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void delete(java.lang.String url, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void delete(java.net.URI url) throws org.springframework.web.client.RestClientException {
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.lang.String url,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.lang.String url,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.net.URI url)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.net.URI url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.net.URI url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(
+            org.springframework.http.RequestEntity<?> requestEntity, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(
+            org.springframework.http.RequestEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.lang.String url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.lang.String url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    protected <T> T doExecute(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    protected void handleResponse(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.http.client.ClientHttpResponse response) throws java.io.IOException {
+    }
+}