add request forgery query

2026-03-01 05:13:41 +01:00 · 2020-05-11 01:21:38 +05:30
parent 1e048d8045
commit 38de9b6433
54 changed files with 1771 additions and 26 deletions
--- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -13,3 +13,32 @@ class ApacheHttpEntityGetContent extends Method {
    this.getName() = "getContent"
  }
 }
+
+/**
+ *  A class derived from the `HttpRequestBase` or the `BasicHttpRequest`
+ *  class of the Apache Http Client `org.apache.http` library
+ */
+class TypeApacheHttpRequestBase extends RefType {
+  TypeApacheHttpRequestBase() {
+    this
+        .getASourceSupertype*()
+        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
+    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
+  }
+}
+
+/*
+ * Any class which can be used to make an HTTP request using the Apache Http Client library
+ * Examples include `HttpGet`,`HttpPost` etc.
+ */
+
+class TypeApacheHttpRequest extends Class {
+  TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) }
+}
+
+/* A class representing the `RequestBuilder` class of the Apache Http Client library */
+class TypeApacheHttpRequestBuilder extends Class {
+  TypeApacheHttpRequestBuilder() {
+    hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
+  }
+}
--- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -170,6 +170,13 @@ class JaxRsResponseBuilder extends Class {
  JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
 }

+/**
+ * The class `javax.ws.rs.client.Client`
+ */
+class JaxRsClient extends RefType {
+  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+}
+
 /**
 * A constructor that may be called by a JaxRS container to construct an instance to inject into a
 * resource method or resource class constructor.
--- a/java/ql/src/semmle/code/java/frameworks/javase/Http.qll
+++ b/java/ql/src/semmle/code/java/frameworks/javase/Http.qll
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/** A class representing `HttpRequest.Builder`. */
+class TypeHttpRequestBuilder extends Interface {
+  TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
+}
+
+/** A class representing `java.net.http.HttpRequest`. */
+class TypeHttpRequest extends Interface {
+  TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
+}
+
+/** A class representing `java.net.http.HttpRequest$Builder`'s `uri` method. */
+class HttpBuilderUri extends Method {
+  HttpBuilderUri() {
+    this.getDeclaringType() instanceof TypeHttpRequestBuilder and
+    this.getName() = "uri"
+  }
+}
--- a/java/ql/src/semmle/code/java/frameworks/javase/URI.qll
+++ b/java/ql/src/semmle/code/java/frameworks/javase/URI.qll
@@ -0,0 +1,43 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/** Any expresion or call which returns a new URI.*/
+abstract class UriCreation extends Top {
+  /**
+   * Returns the host of the newly created URI.
+   *  In the case where the host is specified separately, this returns only the host.
+   *  In the case where the uri is parsed from an input string,
+   *  such as in `URI(`http://foo.com/mypath')`,
+   *  this returns the entire argument passed i.e. `http://foo.com/mypath'.
+   */
+
+  abstract Expr hostArg();
+}
+
+/** An URI constructor expression */
+class UriConstructor extends ClassInstanceExpr, UriCreation {
+  UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
+
+  override Expr hostArg() {
+    // URI(String str)
+    result = this.getArgument(0) and this.getNumArgument() = 1
+    or
+    // URI(String scheme, String ssp, String fragment)
+    // URI(String scheme, String host, String path, String fragment)
+    // URI(String scheme, String authority, String path, String query, String fragment)
+    result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
+    or
+    // URI(String scheme, String userInfo, String host, int port, String path, String query,
+    //    String fragment)
+    result = this.getArgument(2) and this.getNumArgument() = 7
+  }
+}
+
+class UriCreate extends Call, UriCreation {
+  UriCreate() {
+    this.getCallee().getName() = "create" and
+    this.getCallee().getDeclaringType() instanceof TypeUri
+  }
+
+  override Expr hostArg() { result = this.getArgument(0) }
+}
--- a/java/ql/src/semmle/code/java/frameworks/javase/URL.qll
+++ b/java/ql/src/semmle/code/java/frameworks/javase/URL.qll
@@ -0,0 +1,47 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/* Am URL constructor expression */
+class UrlConstructor extends ClassInstanceExpr {
+  UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
+
+  Expr hostArg() {
+    // URL(String spec)
+    this.getNumArgument() = 1 and result = this.getArgument(0)
+    or
+    // URL(String protocol, String host, int port, String file)
+    // URL(String protocol, String host, int port, String file, URLStreamHandler handler)
+    this.getNumArgument() = [4,5] and result = this.getArgument(1)
+    or
+    // URL(String protocol, String host, String file)
+    // but not
+    // URL(URL context, String spec, URLStreamHandler handler)
+    (
+      this.getNumArgument() = 3 and
+      this.getConstructor().getParameter(2).getType() instanceof TypeString
+    ) and
+    result = this.getArgument(1)
+  }
+
+  Expr protocolArg() {
+    // In all cases except where the first parameter is a URL, the argument
+    // containing the protocol is the first one, otherwise it is the second.
+    if this.getConstructor().getParameter(0).getType().getName() = "URL"
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+}
+
+class UrlOpenStreamMethod extends Method {
+  UrlOpenStreamMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openStream"
+  }
+}
+
+class UrlOpenConnectionMethod extends Method {
+  UrlOpenConnectionMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openConnection"
+  }
+}
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -4,6 +4,7 @@
 */

 import java
+import semmle.code.java.frameworks.Networking

 /** The class `org.springframework.http.HttpEntity` or an instantiation of it. */
 class SpringHttpEntity extends Class {
@@ -38,3 +39,17 @@ class SpringResponseEntityBodyBuilder extends Interface {
 class SpringHttpHeaders extends Class {
  SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") }
 }
+
+/** Models `org.springframework.http.RequestEntity`s instantiation expressions. */
+class SpringRequestEntityInstanceExpr extends ClassInstanceExpr {
+  int numArgs;
+
+  SpringRequestEntityInstanceExpr() {
+    this.getConstructedType() instanceof SpringRequestEntity and
+    numArgs = this.getNumArgument()
+  }
+
+  Argument getUriArg() {
+    exists(Argument a | this.getAnArgument() = a and a.getType() instanceof TypeUri | result = a)
+  }
+}
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
@@ -27,3 +27,116 @@ class SpringWebClient extends Interface {
    this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient")
  }
 }
+
+/**
+ * An abstract class representing all Spring Rest Template methods
+ * which take an URL as an argument.
+ */
+abstract class SpringRestTemplateUrlMethods extends Method {
+  /** Gets the argument which corresponds to a URL */
+  abstract Argument getUrlArgument(MethodAccess ma);
+}
+
+/** Models `RestTemplate` class's `doExecute` method */
+class RestTemplateDoExecute extends SpringRestTemplateUrlMethods {
+  RestTemplateDoExecute() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("doExecute")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) {
+    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    //  ResponseExtractor<T> responseExtractor)
+    result = ma.getArgument(0)
+  }
+}
+
+/** Models `RestTemplate` class's `exchange` method */
+class RestTemplateExchange extends SpringRestTemplateUrlMethods {
+  RestTemplateExchange() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("exchange")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `execute` method */
+class RestTemplateExecute extends SpringRestTemplateUrlMethods {
+  RestTemplateExecute() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("execute")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `getForEntity` method */
+class RestTemplateGetForEntity extends SpringRestTemplateUrlMethods {
+  RestTemplateGetForEntity() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("getForEntity")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `getForObject` method */
+class RestTemplateGetForObject extends SpringRestTemplateUrlMethods {
+  RestTemplateGetForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("getForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `patchForObject` method */
+class RestTemplatePatchForObject extends SpringRestTemplateUrlMethods {
+  RestTemplatePatchForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("patchForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForEntity` method */
+class RestTemplatePostForEntity extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForEntity() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForEntity")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForLocation` method */
+class RestTemplatePostForLocation extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForLocation() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForLocation")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `postForObject` method */
+class RestTemplatePostForObject extends SpringRestTemplateUrlMethods {
+  RestTemplatePostForObject() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("postForObject")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}
+
+/** Models `RestTemplate` class's `put` method */
+class RestTemplatePut extends SpringRestTemplateUrlMethods {
+  RestTemplatePut() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName("put")
+  }
+
+  override Argument getUrlArgument(MethodAccess ma) { result = ma.getArgument(0) }
+}