org.kohsuke.stapler.model tests

java/ql/lib/ext/org.kohsuke.stapler.model.yml

@@ -3,5 +3,5 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.kohsuke.stapler", "HttpResponses", True, "redirectTo", "(String)", "", "Argument[0]", "open-url", "ai-generated"]
+      - ["org.kohsuke.stapler", "HttpResponses", True, "redirectTo", "(String)", "", "Argument[0]", "url-redirect", "ai-generated"]
       - ["org.kohsuke.stapler", "HttpResponses", True, "staticResource", "(URL)", "", "Argument[0]", "open-url", "ai-generated"]

java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected

@@ -4,6 +4,8 @@ edges
 | UrlRedirect.java:36:58:36:89 | getParameter(...) : String | UrlRedirect.java:36:25:36:89 | ... + ... |
 | UrlRedirect.java:45:28:45:39 | input : String | UrlRedirect.java:46:10:46:14 | input : String |
 | UrlRedirect.java:46:10:46:14 | input : String | UrlRedirect.java:46:10:46:40 | replaceAll(...) : String |
+| mad/Test.java:9:16:9:41 | getParameter(...) : String | mad/Test.java:14:31:14:38 | source(...) : String |
+| mad/Test.java:14:31:14:38 | source(...) : String | mad/Test.java:14:22:14:38 | (...)... |
 nodes
 | UrlRedirect.java:23:25:23:54 | getParameter(...) | semmle.label | getParameter(...) |
 | UrlRedirect.java:32:25:32:67 | weakCleanup(...) | semmle.label | weakCleanup(...) |
@@ -15,6 +17,9 @@ nodes
 | UrlRedirect.java:45:28:45:39 | input : String | semmle.label | input : String |
 | UrlRedirect.java:46:10:46:14 | input : String | semmle.label | input : String |
 | UrlRedirect.java:46:10:46:40 | replaceAll(...) : String | semmle.label | replaceAll(...) : String |
+| mad/Test.java:9:16:9:41 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| mad/Test.java:14:22:14:38 | (...)... | semmle.label | (...)... |
+| mad/Test.java:14:31:14:38 | source(...) : String | semmle.label | source(...) : String |
 subpaths
 | UrlRedirect.java:32:37:32:66 | getParameter(...) : String | UrlRedirect.java:45:28:45:39 | input : String | UrlRedirect.java:46:10:46:40 | replaceAll(...) : String | UrlRedirect.java:32:25:32:67 | weakCleanup(...) |
 #select
@@ -23,3 +28,4 @@ subpaths
 | UrlRedirect.java:36:25:36:89 | ... + ... | UrlRedirect.java:36:58:36:89 | getParameter(...) : String | UrlRedirect.java:36:25:36:89 | ... + ... | Untrusted URL redirection depends on a $@. | UrlRedirect.java:36:58:36:89 | getParameter(...) | user-provided value |
 | UrlRedirect.java:39:34:39:63 | getParameter(...) | UrlRedirect.java:39:34:39:63 | getParameter(...) | UrlRedirect.java:39:34:39:63 | getParameter(...) | Untrusted URL redirection depends on a $@. | UrlRedirect.java:39:34:39:63 | getParameter(...) | user-provided value |
 | UrlRedirect.java:42:43:42:72 | getParameter(...) | UrlRedirect.java:42:43:42:72 | getParameter(...) | UrlRedirect.java:42:43:42:72 | getParameter(...) | Untrusted URL redirection depends on a $@. | UrlRedirect.java:42:43:42:72 | getParameter(...) | user-provided value |
+| mad/Test.java:14:22:14:38 | (...)... | mad/Test.java:9:16:9:41 | getParameter(...) : String | mad/Test.java:14:22:14:38 | (...)... | Untrusted URL redirection depends on a $@. | mad/Test.java:9:16:9:41 | getParameter(...) | user-provided value |

java/ql/test/query-tests/security/CWE-601/semmle/tests/mad/Test.java

@@ -0,0 +1,16 @@
+import javax.servlet.http.HttpServletRequest;
+import org.kohsuke.stapler.HttpResponses;
+
+public class Test {
+
+    private static HttpServletRequest request;
+
+    public static Object source() {
+        return request.getParameter(null);
+    }
+
+    public void test(HttpResponses r) {
+        // "org.kohsuke.stapler;HttpResponses;true;redirectTo;(String);;Argument[0];open-url;ai-generated"
+        r.redirectTo((String) source());
+    }
+}

java/ql/test/query-tests/security/CWE-601/semmle/tests/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/stapler-1.263:${testdir}/../../../../../stubs/javax-servlet-2.5:${testdir}/../../../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../../../stubs/saxon-xqj-9.x:${testdir}/../../../../../stubs/apache-commons-beanutils:${testdir}/../../../../../stubs/dom4j-2.1.1:${testdir}/../../../../../stubs/apache-commons-lang:${testdir}/../../../../../stubs/jaxen-1.2.0

java/ql/test/query-tests/security/CWE-918/mad/Test.java

@@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest;
 import javafx.scene.web.WebEngine;
 import org.apache.commons.jelly.JellyContext;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
+import org.kohsuke.stapler.HttpResponses;
 
 public class Test {
 
@@ -68,4 +69,9 @@ public class Test {
         new ZipURLInstaller((URL) source(), "", ""); // $ SSRF
     }
 
+    public void test(HttpResponses r) {
+        // "org.kohsuke.stapler;HttpResponses;true;staticResource;(URL);;Argument[0];open-url;ai-generated"
+        r.staticResource((URL) source()); // $ SSRF
+    }
+
 }

java/ql/test/query-tests/security/CWE-918/options

@@ -1,2 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang
-

java/ql/test/stubs/stapler-1.263/org/kohsuke/stapler/ForwardToView.java

@@ -0,0 +1,21 @@
+// Generated automatically from org.kohsuke.stapler.ForwardToView for testing purposes
+
+package org.kohsuke.stapler;
+
+import java.util.Map;
+import javax.servlet.RequestDispatcher;
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
+public class ForwardToView extends RuntimeException implements HttpResponse
+{
+    protected ForwardToView() {}
+    public ForwardToView optional(){ return null; }
+    public ForwardToView with(Map<String, ? extends Object> p0){ return null; }
+    public ForwardToView with(String p0, Object p1){ return null; }
+    public ForwardToView(Class p0, String p1){}
+    public ForwardToView(Object p0, String p1){}
+    public ForwardToView(RequestDispatcher p0){}
+    public void generateResponse(StaplerRequest p0, StaplerResponse p1, Object p2){}
+}

java/ql/test/stubs/stapler-1.263/org/kohsuke/stapler/HttpRedirect.java

@@ -0,0 +1,18 @@
+// Generated automatically from org.kohsuke.stapler.HttpRedirect for testing purposes
+
+package org.kohsuke.stapler;
+
+import org.kohsuke.stapler.HttpResponse;
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
+public class HttpRedirect extends RuntimeException implements HttpResponse
+{
+    protected HttpRedirect() {}
+    public HttpRedirect(String p0){}
+    public HttpRedirect(int p0, String p1){}
+    public static HttpRedirect DOT = null;
+    public static HttpResponse CONTEXT_ROOT = null;
+    public static HttpResponse fromContextPath(String p0){ return null; }
+    public void generateResponse(StaplerRequest p0, StaplerResponse p1, Object p2){}
+}

java/ql/test/stubs/stapler-1.263/org/kohsuke/stapler/HttpResponses.java

@@ -0,0 +1,43 @@
+// Generated automatically from org.kohsuke.stapler.HttpResponses for testing purposes
+
+package org.kohsuke.stapler;
+
+import java.net.URL;
+import org.kohsuke.stapler.ForwardToView;
+import org.kohsuke.stapler.HttpRedirect;
+import org.kohsuke.stapler.HttpResponse;
+
+public class HttpResponses
+{
+    abstract static public class HttpResponseException extends RuntimeException implements HttpResponse
+    {
+        public HttpResponseException(){}
+        public HttpResponseException(String p0){}
+        public HttpResponseException(String p0, Throwable p1){}
+        public HttpResponseException(Throwable p0){}
+    }
+    public HttpResponses(){}
+    public static ForwardToView forwardToView(Class p0, String p1){ return null; }
+    public static ForwardToView forwardToView(Object p0, String p1){ return null; }
+    public static HttpRedirect redirectTo(String p0){ return null; }
+    public static HttpRedirect redirectTo(int p0, String p1){ return null; }
+    public static HttpResponse html(String p0){ return null; }
+    public static HttpResponse literalHtml(String p0){ return null; }
+    public static HttpResponse plainText(String p0){ return null; }
+    public static HttpResponse redirectToDot(){ return null; }
+    public static HttpResponse staticResource(URL p0){ return null; }
+    public static HttpResponse staticResource(URL p0, long p1){ return null; }
+    public static HttpResponse text(String p0){ return null; }
+    public static HttpResponses.HttpResponseException error(Throwable p0){ return null; }
+    public static HttpResponses.HttpResponseException error(int p0, String p1){ return null; }
+    public static HttpResponses.HttpResponseException error(int p0, Throwable p1){ return null; }
+    public static HttpResponses.HttpResponseException errorWithoutStack(int p0, String p1){ return null; }
+    public static HttpResponses.HttpResponseException forbidden(){ return null; }
+    public static HttpResponses.HttpResponseException forwardToPreviousPage(){ return null; }
+    public static HttpResponses.HttpResponseException notFound(){ return null; }
+    public static HttpResponses.HttpResponseException ok(){ return null; }
+    public static HttpResponses.HttpResponseException redirectToContextRoot(){ return null; }
+    public static HttpResponses.HttpResponseException redirectViaContextPath(String p0){ return null; }
+    public static HttpResponses.HttpResponseException redirectViaContextPath(int p0, String p1){ return null; }
+    public static HttpResponses.HttpResponseException status(int p0){ return null; }
+}

java/ql/test/stubs/stapler-1.263/org/kohsuke/stapler/RequestImpl.java

@@ -4,7 +4,6 @@ package org.kohsuke.stapler;
 
 import java.lang.reflect.Type;
 import java.util.Calendar;
-import java.util.Date;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Map;
@@ -25,56 +24,186 @@ import org.kohsuke.stapler.WebApp;
 import org.kohsuke.stapler.bind.BoundObjectTable;
 import org.kohsuke.stapler.lang.Klass;
 
-public class RequestImpl extends HttpServletRequestWrapper implements StaplerRequest
+public class RequestImpl extends HttpServletRequestWrapper implements StaplerRequest {
-{
     protected RequestImpl() {}
-    public <T> T bindJSON(java.lang.Class<T> p0, JSONObject p1){ return null; }
+
-    public <T> T bindParameters(java.lang.Class<T> p0, String p1){ return null; }
+    public <T> T bindJSON(java.lang.Class<T> p0, JSONObject p1) {
-    public <T> T bindParameters(java.lang.Class<T> p0, String p1, int p2){ return null; }
+        return null;
-    public <T> T findAncestorObject(java.lang.Class<T> p0){ return null; }
+    }
-    public <T> java.util.List<T> bindJSONToList(java.lang.Class<T> p0, Object p1){ return null; }
+
-    public <T> java.util.List<T> bindParametersToList(java.lang.Class<T> p0, String p1){ return null; }
+    public <T> T bindParameters(java.lang.Class<T> p0, String p1) {
-    public Ancestor findAncestor(Class p0){ return null; }
+        return null;
-    public Ancestor findAncestor(Object p0){ return null; }
+    }
-    public BindInterceptor getBindInterceptor(){ return null; }
+
-    public BindInterceptor setBindInterceptor(BindInterceptor p0){ return null; }
+    public <T> T bindParameters(java.lang.Class<T> p0, String p1, int p2) {
-    public BindInterceptor setBindInterceptpr(BindInterceptor p0){ return null; }
+        return null;
-    public BindInterceptor setBindListener(BindInterceptor p0){ return null; }
+    }
-    public BoundObjectTable getBoundObjectTable(){ return null; }
+
-    public Enumeration getParameterNames(){ return null; }
+    public <T> T findAncestorObject(java.lang.Class<T> p0) {
-    public FileItem getFileItem(String p0){ return null; }
+        return null;
-    public JSONObject getSubmittedForm(){ return null; }
+    }
-    public List<Ancestor> getAncestors(){ return null; }
+
-    public Map getParameterMap(){ return null; }
+    public <T> java.util.List<T> bindJSONToList(java.lang.Class<T> p0, Object p1) {
-    public Object bindJSON(Type p0, Class p1, Object p2){ return null; }
+        return null;
-    public RequestDispatcher getView(Class p0, String p1){ return null; }
+    }
-    public RequestDispatcher getView(Klass<? extends Object> p0, Object p1, String p2){ return null; }
+
-    public RequestDispatcher getView(Klass<? extends Object> p0, String p1){ return null; }
+    public <T> java.util.List<T> bindParametersToList(java.lang.Class<T> p0, String p1) {
-    public RequestDispatcher getView(Object p0, String p1){ return null; }
+        return null;
+    }
+
+    public Ancestor findAncestor(Class p0) {
+        return null;
+    }
+
+    public Ancestor findAncestor(Object p0) {
+        return null;
+    }
+
+    public BindInterceptor getBindInterceptor() {
+        return null;
+    }
+
+    public BindInterceptor setBindInterceptor(BindInterceptor p0) {
+        return null;
+    }
+
+    public BindInterceptor setBindInterceptpr(BindInterceptor p0) {
+        return null;
+    }
+
+    public BindInterceptor setBindListener(BindInterceptor p0) {
+        return null;
+    }
+
+    public BoundObjectTable getBoundObjectTable() {
+        return null;
+    }
+
+    public Enumeration getParameterNames() {
+        return null;
+    }
+
+    public FileItem getFileItem(String p0) {
+        return null;
+    }
+
+    public JSONObject getSubmittedForm() {
+        return null;
+    }
+
+    public List<Ancestor> getAncestors() {
+        return null;
+    }
+
+    public Map getParameterMap() {
+        return null;
+    }
+
+    public Object bindJSON(Type p0, Class p1, Object p2) {
+        return null;
+    }
+
+    public RequestDispatcher getView(Class p0, String p1) {
+        return null;
+    }
+
+    public RequestDispatcher getView(Klass<? extends Object> p0, Object p1, String p2) {
+        return null;
+    }
+
+    public RequestDispatcher getView(Klass<? extends Object> p0, String p1) {
+        return null;
+    }
+
+    public RequestDispatcher getView(Object p0, String p1) {
+        return null;
+    }
+
     public RequestImpl(Stapler p0, HttpServletRequest p1, List<AncestorImpl> p2, TokenList p3) {}
-    public ServletContext getServletContext(){ return null; }
+
-    public Stapler getStapler(){ return null; }
+    public ServletContext getServletContext() {
-    public String createJavaScriptProxy(Object p0){ return null; }
+        return null;
-    public String getOriginalRequestURI(){ return null; }
+    }
-    public String getOriginalRestOfPath(){ return null; }
+
-    public String getParameter(String p0){ return null; }
+    public Stapler getStapler() {
-    public String getReferer(){ return null; }
+        return null;
-    public String getRequestURIWithQueryString(){ return null; }
+    }
-    public String getRestOfPath(){ return null; }
+
-    public String getRootPath(){ return null; }
+    public String createJavaScriptProxy(Object p0) {
-    public StringBuffer getRequestURLWithQueryString(){ return null; }
+        return null;
-    public String[] getParameterValues(String p0){ return null; }
+    }
-    public WebApp getWebApp(){ return null; }
+
-    public boolean checkIfModified(Calendar p0, StaplerResponse p1){ return false; }
+    public String getOriginalRequestURI() {
-    public boolean checkIfModified(Date p0, StaplerResponse p1){ return false; }
+        return null;
-    public boolean checkIfModified(long p0, StaplerResponse p1){ return false; }
+    }
-    public boolean checkIfModified(long p0, StaplerResponse p1, long p2){ return false; }
+
-    public boolean hasParameter(String p0){ return false; }
+    public String getOriginalRestOfPath() {
-    public boolean isJavaScriptProxyCall(){ return false; }
+        return null;
+    }
+
+    public String getParameter(String p0) {
+        return p0;
+    }
+
+    public String getReferer() {
+        return null;
+    }
+
+    public String getRequestURIWithQueryString() {
+        return null;
+    }
+
+    public String getRestOfPath() {
+        return null;
+    }
+
+    public String getRootPath() {
+        return null;
+    }
+
+    public StringBuffer getRequestURLWithQueryString() {
+        return null;
+    }
+
+    public String[] getParameterValues(String p0) {
+        return null;
+    }
+
+    public WebApp getWebApp() {
+        return null;
+    }
+
+    public boolean checkIfModified(Calendar p0, StaplerResponse p1) {
+        return false;
+    }
+
+    public boolean checkIfModified(java.util.Date p0, StaplerResponse p1) {
+        return false;
+    }
+
+    public boolean checkIfModified(long p0, StaplerResponse p1) {
+        return false;
+    }
+
+    public boolean checkIfModified(long p0, StaplerResponse p1, long p2) {
+        return false;
+    }
+
+    public boolean hasParameter(String p0) {
+        return false;
+    }
+
+    public boolean isJavaScriptProxyCall() {
+        return false;
+    }
+
     public final List<AncestorImpl> ancestors = null;
     public final Stapler stapler = null;
     public final TokenList tokens = null;
+
     public void bindJSON(Object p0, JSONObject p1) {}
+
     public void bindParameters(Object p0) {}
+
     public void bindParameters(Object p0, String p1) {}
 }

java/ql/test/stubs/stapler-1.263/org/kohsuke/stapler/StaplerRequest.java

@@ -4,7 +4,6 @@ package org.kohsuke.stapler;
 
 import java.lang.reflect.Type;
 import java.util.Calendar;
-import java.util.Date;
 import java.util.List;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
@@ -53,7 +52,7 @@ public interface StaplerRequest extends HttpServletRequest
     StringBuffer getRequestURLWithQueryString();
     WebApp getWebApp();
     boolean checkIfModified(Calendar p0, StaplerResponse p1);
-    boolean checkIfModified(Date p0, StaplerResponse p1);
+    boolean checkIfModified(java.util.Date p0, StaplerResponse p1);
     boolean checkIfModified(long p0, StaplerResponse p1);
     boolean checkIfModified(long p0, StaplerResponse p1, long p2);
     boolean hasParameter(String p0);