hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Convert request forgery tests to inline expectations; add missing models revealed by this process.

Browse Source
This commit is contained in:
Chris Smowton
2021-06-09 17:56:38 +01:00
parent b66dcbe5b6
commit 8b080a94e7
10 changed files with 80 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -252,6 +252,8 @@ private predicate summaryModelCsv(string row) {
"javax.xml.transform.stream;StreamSource;false;getInputStream;;;Argument[-1];ReturnValue;taint", "javax.xml.transform.stream;StreamSource;false;getInputStream;;;Argument[-1];ReturnValue;taint",
"java.nio;ByteBuffer;false;get;;;Argument[-1];ReturnValue;taint", "java.nio;ByteBuffer;false;get;;;Argument[-1];ReturnValue;taint",
"java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint", "java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint",
"java.net;URI;false;toString;;;Argument[-1];ReturnValue;taint",
"java.net;URI;false;toAsciiString;;;Argument[-1];ReturnValue;taint",
"java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint", "java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
"java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint", "java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
"java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint", "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",

5
java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
View File

@@ -261,7 +261,10 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
"org.apache.hc.core5.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint", "org.apache.hc.core5.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint",
"org.apache.hc.core5.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint", "org.apache.hc.core5.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint",
"org.apache.hc.core5.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint", "org.apache.hc.core5.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint",
"org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint" "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint",
"org.apache.http.message;BasicRequestLine;false;BasicRequestLine;;;Argument[1];Argument[-1];taint",
"org.apache.http;RequestLine;true;getUri;;;Argument[-1];ReturnValue;taint",
"org.apache.http;RequestLine;true;toString;;;Argument[-1];ReturnValue;taint"
] ]
} }
} }

6
java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
View File

@@ -53,11 +53,11 @@ private class UrlOpenSink extends SinkModelCsv {
"org.springframework.http;RequestEntity;false;put;;;Argument[0];open-url", "org.springframework.http;RequestEntity;false;put;;;Argument[0];open-url",
"org.springframework.http;RequestEntity;false;method;;;Argument[1];open-url", "org.springframework.http;RequestEntity;false;method;;;Argument[1];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(HttpMethod,URI);;Argument[1];open-url", "org.springframework.http;RequestEntity;false;RequestEntity;(HttpMethod,URI);;Argument[1];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(MultiValueMap,HttpMethod,URI);;Argument[2];open-url", "org.springframework.http;RequestEntity;false;RequestEntity;(MultiValueMap<String,String>,HttpMethod,URI);;Argument[2];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI);;Argument[2];open-url", "org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI);;Argument[2];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI,Type);;Argument[2];open-url", "org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI,Type);;Argument[2];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap,HttpMethod,URI);;Argument[3];open-url", "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap<String,String>,HttpMethod,URI);;Argument[3];open-url",
"org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap,HttpMethod,URI,Type);;Argument[3];open-url" "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap<String,String>,HttpMethod,URI,Type);;Argument[3];open-url"
] ]
} }
} }

2
java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java
View File

@@ -19,7 +19,7 @@ public class JaxWsSSRF extends HttpServlet {
throws ServletException, IOException { throws ServletException, IOException {
Client client = ClientBuilder.newClient(); Client client = ClientBuilder.newClient();
String url = request.getParameter("url"); String url = request.getParameter("url");
client.target(url); client.target(url); // $ SSRF
} }
} }

149
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
View File

@@ -1,149 +0,0 @@
edges
| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:25:31:25:34 | sink : String |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:64:59:64:61 | uri |
| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:67:43:67:45 | uri |
| RequestForgery2.java:25:31:25:34 | sink : String | RequestForgery2.java:25:23:25:35 | new URI(...) : URI |
| RequestForgery.java:19:23:19:58 | new URI(...) : URI | RequestForgery.java:22:52:22:54 | uri |
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:19:23:19:58 | new URI(...) : URI |
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
| RequestForgery.java:75:33:75:63 | getParameter(...) : String | RequestForgery.java:76:59:76:77 | new URI(...) |
| RequestForgery.java:75:33:75:63 | getParameter(...) : String | RequestForgery.java:76:67:76:76 | unsafeUri3 : String |
| RequestForgery.java:76:67:76:76 | unsafeUri3 : String | RequestForgery.java:76:59:76:77 | new URI(...) |
| RequestForgery.java:79:49:79:79 | getParameter(...) : String | RequestForgery.java:80:59:80:77 | new URI(...) |
| RequestForgery.java:79:49:79:79 | getParameter(...) : String | RequestForgery.java:80:67:80:76 | unsafeUri4 : String |
| RequestForgery.java:80:67:80:76 | unsafeUri4 : String | RequestForgery.java:80:59:80:77 | new URI(...) |
| RequestForgery.java:84:31:84:61 | getParameter(...) : String | RequestForgery.java:85:59:85:88 | new URI(...) |
| RequestForgery.java:84:31:84:61 | getParameter(...) : String | RequestForgery.java:85:67:85:87 | toString(...) : String |
| RequestForgery.java:85:67:85:87 | toString(...) : String | RequestForgery.java:85:59:85:88 | new URI(...) |
| RequestForgery.java:88:58:88:86 | getParameter(...) : String | RequestForgery.java:90:60:90:89 | new URI(...) |
| RequestForgery.java:88:58:88:86 | getParameter(...) : String | RequestForgery.java:90:68:90:88 | toString(...) : String |
| RequestForgery.java:90:68:90:88 | toString(...) : String | RequestForgery.java:90:60:90:89 | new URI(...) |
| RequestForgery.java:93:60:93:88 | getParameter(...) : String | RequestForgery.java:95:60:95:90 | new URI(...) |
| RequestForgery.java:93:60:93:88 | getParameter(...) : String | RequestForgery.java:95:68:95:89 | toString(...) : String |
| RequestForgery.java:95:68:95:89 | toString(...) : String | RequestForgery.java:95:60:95:90 | new URI(...) |
| RequestForgery.java:98:77:98:105 | getParameter(...) : String | RequestForgery.java:100:60:100:90 | new URI(...) |
| RequestForgery.java:98:77:98:105 | getParameter(...) : String | RequestForgery.java:100:68:100:89 | toString(...) : String |
| RequestForgery.java:100:68:100:89 | toString(...) : String | RequestForgery.java:100:60:100:90 | new URI(...) |
| RequestForgery.java:103:73:103:103 | getParameter(...) : String | RequestForgery.java:104:59:104:77 | new URI(...) |
| RequestForgery.java:103:73:103:103 | getParameter(...) : String | RequestForgery.java:104:67:104:76 | unsafeUri6 : String |
| RequestForgery.java:104:67:104:76 | unsafeUri6 : String | RequestForgery.java:104:59:104:77 | new URI(...) |
| RequestForgery.java:107:56:107:86 | getParameter(...) : String | RequestForgery.java:108:59:108:77 | new URI(...) |
| RequestForgery.java:107:56:107:86 | getParameter(...) : String | RequestForgery.java:108:67:108:76 | unsafeUri7 : String |
| RequestForgery.java:108:67:108:76 | unsafeUri7 : String | RequestForgery.java:108:59:108:77 | new URI(...) |
| RequestForgery.java:111:55:111:85 | getParameter(...) : String | RequestForgery.java:112:59:112:77 | new URI(...) |
| RequestForgery.java:111:55:111:85 | getParameter(...) : String | RequestForgery.java:112:67:112:76 | unsafeUri8 : String |
| RequestForgery.java:112:67:112:76 | unsafeUri8 : String | RequestForgery.java:112:59:112:77 | new URI(...) |
| RequestForgery.java:115:33:115:63 | getParameter(...) : String | RequestForgery.java:116:59:116:77 | new URI(...) |
| RequestForgery.java:115:33:115:63 | getParameter(...) : String | RequestForgery.java:116:67:116:76 | unsafeUri9 : String |
| RequestForgery.java:116:67:116:76 | unsafeUri9 : String | RequestForgery.java:116:59:116:77 | new URI(...) |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:50:40:50:62 | new URI(...) |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:50:48:50:61 | fooResourceUrl : String |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:82:58:95 | fooResourceUrl : String |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl |
| SpringSSRF.java:50:48:50:61 | fooResourceUrl : String | SpringSSRF.java:50:40:50:62 | new URI(...) |
| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
nodes
| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url |
| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| RequestForgery2.java:25:31:25:34 | sink : String | semmle.label | sink : String |
| RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
| RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
| RequestForgery2.java:59:30:59:33 | url1 | semmle.label | url1 |
| RequestForgery2.java:63:65:63:68 | uri2 | semmle.label | uri2 |
| RequestForgery2.java:64:59:64:61 | uri | semmle.label | uri |
| RequestForgery2.java:67:43:67:45 | uri | semmle.label | uri |
| RequestForgery2.java:69:29:69:32 | uri2 | semmle.label | uri2 |
| RequestForgery.java:19:23:19:58 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
| RequestForgery.java:75:33:75:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:76:59:76:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:76:67:76:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String |
| RequestForgery.java:79:49:79:79 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:80:59:80:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:80:67:80:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String |
| RequestForgery.java:84:31:84:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:85:59:85:88 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:85:67:85:87 | toString(...) : String | semmle.label | toString(...) : String |
| RequestForgery.java:88:58:88:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:90:60:90:89 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:90:68:90:88 | toString(...) : String | semmle.label | toString(...) : String |
| RequestForgery.java:93:60:93:88 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:95:60:95:90 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:95:68:95:89 | toString(...) : String | semmle.label | toString(...) : String |
| RequestForgery.java:98:77:98:105 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:100:60:100:90 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:100:68:100:89 | toString(...) : String | semmle.label | toString(...) : String |
| RequestForgery.java:103:73:103:103 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:104:59:104:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:104:67:104:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String |
| RequestForgery.java:107:56:107:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:108:59:108:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:108:67:108:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String |
| RequestForgery.java:111:55:111:85 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:112:59:112:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:112:67:112:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String |
| RequestForgery.java:115:33:115:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RequestForgery.java:116:59:116:77 | new URI(...) | semmle.label | new URI(...) |
| RequestForgery.java:116:67:116:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String |
| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... |
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:41:42:41:55 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:50:40:50:62 | new URI(...) | semmle.label | new URI(...) |
| SpringSSRF.java:50:48:50:61 | fooResourceUrl : String | semmle.label | fooResourceUrl : String |
| SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) |
| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | semmle.label | fooResourceUrl : String |
| SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl |
| SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl |
#select
| JaxWsSSRF.java:22:23:22:25 | url | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | Potential server-side request forgery due to $@. | JaxWsSSRF.java:21:22:21:48 | getParameter(...) | a user-provided value |
| RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:63:65:63:68 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:64:59:64:61 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:67:43:67:45 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server-side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server-side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
| RequestForgery.java:76:59:76:77 | new URI(...) | RequestForgery.java:75:33:75:63 | getParameter(...) : String | RequestForgery.java:76:59:76:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:75:33:75:63 | getParameter(...) | a user-provided value |
| RequestForgery.java:80:59:80:77 | new URI(...) | RequestForgery.java:79:49:79:79 | getParameter(...) : String | RequestForgery.java:80:59:80:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:79:49:79:79 | getParameter(...) | a user-provided value |
| RequestForgery.java:85:59:85:88 | new URI(...) | RequestForgery.java:84:31:84:61 | getParameter(...) : String | RequestForgery.java:85:59:85:88 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:84:31:84:61 | getParameter(...) | a user-provided value |
| RequestForgery.java:90:60:90:89 | new URI(...) | RequestForgery.java:88:58:88:86 | getParameter(...) : String | RequestForgery.java:90:60:90:89 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:88:58:88:86 | getParameter(...) | a user-provided value |
| RequestForgery.java:95:60:95:90 | new URI(...) | RequestForgery.java:93:60:93:88 | getParameter(...) : String | RequestForgery.java:95:60:95:90 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:93:60:93:88 | getParameter(...) | a user-provided value |
| RequestForgery.java:100:60:100:90 | new URI(...) | RequestForgery.java:98:77:98:105 | getParameter(...) : String | RequestForgery.java:100:60:100:90 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:98:77:98:105 | getParameter(...) | a user-provided value |
| RequestForgery.java:104:59:104:77 | new URI(...) | RequestForgery.java:103:73:103:103 | getParameter(...) : String | RequestForgery.java:104:59:104:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:103:73:103:103 | getParameter(...) | a user-provided value |
| RequestForgery.java:108:59:108:77 | new URI(...) | RequestForgery.java:107:56:107:86 | getParameter(...) : String | RequestForgery.java:108:59:108:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:107:56:107:86 | getParameter(...) | a user-provided value |
| RequestForgery.java:112:59:112:77 | new URI(...) | RequestForgery.java:111:55:111:85 | getParameter(...) : String | RequestForgery.java:112:59:112:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:111:55:111:85 | getParameter(...) | a user-provided value |
| RequestForgery.java:116:59:116:77 | new URI(...) | RequestForgery.java:115:33:115:63 | getParameter(...) : String | RequestForgery.java:116:59:116:77 | new URI(...) | Potential server-side request forgery due to $@. | RequestForgery.java:115:33:115:63 | getParameter(...) | a user-provided value |
| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:45:47:45:60 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:50:40:50:62 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:50:40:50:62 | new URI(...) | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:54:59:54:72 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:58:74:58:96 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:62:57:62:70 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:66:48:66:61 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
| SpringSSRF.java:69:30:69:43 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | Potential server-side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |

22
java/ql/test/query-tests/security/CWE-918/RequestForgery.java
View File

@@ -19,7 +19,7 @@ public class RequestForgery extends HttpServlet {
URI uri = new URI(request.getParameter("uri")); URI uri = new URI(request.getParameter("uri"));
// BAD: a request parameter is incorporated without validation into a Http // BAD: a request parameter is incorporated without validation into a Http
// request // request
HttpRequest r = HttpRequest.newBuilder(uri).build(); HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
client.send(r, null); client.send(r, null);
// GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host. // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
@@ -73,47 +73,47 @@ public class RequestForgery extends HttpServlet {
// BAD: cases where a string that would sanitise is used, but occurs in the wrong // BAD: cases where a string that would sanitise is used, but occurs in the wrong
// place to sanitise user input: // place to sanitise user input:
String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/"; String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); // $ SSRF
client.send(unsafer3, null); client.send(unsafer3, null);
String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/"; String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
client.send(unsafer4, null); client.send(unsafer4, null);
StringBuilder unsafeUri5 = new StringBuilder(); StringBuilder unsafeUri5 = new StringBuilder();
unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/"); unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
client.send(unsafer5, null); client.send(unsafer5, null);
StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a")); StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
unafeUri5a.append("https://example.com/"); unafeUri5a.append("https://example.com/");
HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
client.send(unsafer5a, null); client.send(unsafer5a, null);
StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/"); StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
unsafeUri5b.append("https://example.com/"); unsafeUri5b.append("https://example.com/");
HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
client.send(unsafer5b, null); client.send(unsafer5b, null);
StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c")); StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
unsafeUri5c.append("://example.com/dir/"); unsafeUri5c.append("://example.com/dir/");
HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
client.send(unsafer5c, null); client.send(unsafer5c, null);
String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6")); String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
client.send(unsafer6, null); client.send(unsafer6, null);
String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com"); String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
client.send(unsafer7, null); client.send(unsafer7, null);
String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/"); String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
client.send(unsafer8, null); client.send(unsafer8, null);
String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com"); String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
client.send(unsafer9, null); client.send(unsafer9, null);
} catch (Exception e) { } catch (Exception e) {

1
java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref
View File

@@ -1 +0,0 @@
Security/CWE/CWE-918/RequestForgery.ql

58
java/ql/test/query-tests/security/CWE-918/RequestForgery2.java
View File

@@ -63,47 +63,47 @@ public class RequestForgery2 extends HttpServlet {
// URL(URL context, String spec, URLStreamHandler handler) // URL(URL context, String spec, URLStreamHandler handler)
URL url6 = new URL(url3, "spec", new Helper2()); URL url6 = new URL(url3, "spec", new Helper2());
URLConnection c1 = url1.openConnection(); URLConnection c1 = url1.openConnection(); // $ SSRF
SocketAddress sa = new SocketAddress() { SocketAddress sa = new SocketAddress() {
}; };
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
InputStream c3 = url1.openStream(); InputStream c3 = url1.openStream(); // $ SSRF
// java.net.http // java.net.http
HttpClient client = HttpClient.newHttpClient(); HttpClient client = HttpClient.newHttpClient();
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
// Apache HTTPlib // Apache HTTPlib
HttpGet httpGet = new HttpGet(uri); HttpGet httpGet = new HttpGet(uri); // $ SSRF
HttpGet httpGet2 = new HttpGet(); HttpGet httpGet2 = new HttpGet();
httpGet2.setURI(uri2); httpGet2.setURI(uri2); // $ SSRF
new HttpHead(uri); new HttpHead(uri); // $ SSRF
new HttpPost(uri); new HttpPost(uri); // $ SSRF
new HttpPut(uri); new HttpPut(uri); // $ SSRF
new HttpDelete(uri); new HttpDelete(uri); // $ SSRF
new HttpOptions(uri); new HttpOptions(uri); // $ SSRF
new HttpTrace(uri); new HttpTrace(uri); // $ SSRF
new HttpPatch(uri); new HttpPatch(uri); // $ SSRF
new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null)); new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
new BasicHttpRequest("GET", uri2.toString()); new BasicHttpRequest("GET", uri2.toString()); // $ SSRF
new BasicHttpRequest("GET", uri2.toString(), null); new BasicHttpRequest("GET", uri2.toString(), null); // $ SSRF
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null)); new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri2.toString()); new BasicHttpEntityEnclosingRequest("GET", uri2.toString()); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null); new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null); // $ SSRF
RequestBuilder.get(uri2); RequestBuilder.get(uri2); // $ SSRF
RequestBuilder.post(uri2); RequestBuilder.post(uri2); // $ SSRF
RequestBuilder.put(uri2); RequestBuilder.put(uri2); // $ SSRF
RequestBuilder.delete(uri2); RequestBuilder.delete(uri2); // $ SSRF
RequestBuilder.options(uri2); RequestBuilder.options(uri2); // $ SSRF
RequestBuilder.head(uri2); RequestBuilder.head(uri2); // $ SSRF
RequestBuilder.trace(uri2); RequestBuilder.trace(uri2); // $ SSRF
RequestBuilder.patch(uri2); RequestBuilder.patch(uri2); // $ SSRF
RequestBuilder.get("").setUri(uri2); RequestBuilder.get("").setUri(uri2); // $ SSRF
} catch (Exception e) { } catch (Exception e) {
// TODO: handle exception // TODO: handle exception

52
java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
View File

@@ -30,69 +30,69 @@ public class SpringSSRF extends HttpServlet {
try { try {
{ {
ResponseEntity<String> response = ResponseEntity<String> response =
restTemplate.getForEntity(fooResourceUrl + "/1", String.class); restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ SSRF
} }
{ {
ResponseEntity<String> response = ResponseEntity<String> response =
restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF
} }
{ {
ResponseEntity<String> response = ResponseEntity<String> response =
restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF
} }
{ {
String response = String response =
restTemplate.getForObject(fooResourceUrl, String.class, "test"); restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF
} }
{ {
String body = new String("body"); String body = new String("body");
URI uri = new URI(fooResourceUrl); URI uri = new URI(fooResourceUrl);
RequestEntity<String> requestEntity = RequestEntity<String> requestEntity =
RequestEntity.post(uri).body(body); RequestEntity.post(uri).body(body); // $ SSRF
ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class); ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
RequestEntity.get(uri); RequestEntity.get(uri); // $ SSRF
RequestEntity.put(uri); RequestEntity.put(uri); // $ SSRF
RequestEntity.delete(uri); RequestEntity.delete(uri); // $ SSRF
RequestEntity.options(uri); RequestEntity.options(uri); // $ SSRF
RequestEntity.patch(uri); RequestEntity.patch(uri); // $ SSRF
RequestEntity.head(uri); RequestEntity.head(uri); // $ SSRF
RequestEntity.method(null, uri); RequestEntity.method(null, uri); // $ SSRF
} }
{ {
String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), // $ SSRF
String.class, "hi"); String.class, "hi");
} }
{ {
ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl), ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl), // $ SSRF
new String("object"), String.class); new String("object"), String.class);
} }
{ {
URI response = restTemplate.postForLocation(fooResourceUrl, new String("object")); URI response = restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF
} }
{ {
String response = String response =
restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ SSRF
} }
{ {
restTemplate.put(fooResourceUrl, new String("object")); restTemplate.put(fooResourceUrl, new String("object")); // $ SSRF
} }
{ {
URI uri = new URI(fooResourceUrl); URI uri = new URI(fooResourceUrl);
MultiValueMap<String, String> headers = null; MultiValueMap<String, String> headers = null;
java.lang.reflect.Type type = null; java.lang.reflect.Type type = null;
new RequestEntity<String>(null, uri); new RequestEntity<String>(null, uri); // $ SSRF
new RequestEntity<String>(headers, null, uri); new RequestEntity<String>(headers, null, uri); // $ SSRF
new RequestEntity<String>("body", null, uri); new RequestEntity<String>("body", null, uri); // $ SSRF
new RequestEntity<String>("body", headers, null, uri); new RequestEntity<String>("body", headers, null, uri); // $ SSRF
new RequestEntity<String>("body", null, uri, type); new RequestEntity<String>("body", null, uri, type); // $ SSRF
new RequestEntity<String>("body", headers, null, uri, type); new RequestEntity<String>("body", headers, null, uri, type); // $ SSRF
} }
{ {
URI uri = new URI(fooResourceUrl); URI uri = new URI(fooResourceUrl);
restTemplate.delete(uri); restTemplate.delete(uri); // $ SSRF
restTemplate.headForHeaders(uri); restTemplate.headForHeaders(uri); // $ SSRF
restTemplate.optionsForAllow(uri); restTemplate.optionsForAllow(uri); // $ SSRF
} }
} catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {} } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
} }

8
java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHttpEntityEnclosingRequest.java
View File

@@ -43,7 +43,7 @@ import org.apache.http.RequestLine;
* @author <a href="mailto:oleg at ural.ru">Oleg Kalnichevski</a> * @author <a href="mailto:oleg at ural.ru">Oleg Kalnichevski</a>
* *
* @version $Revision: 618017 $ * @version $Revision: 618017 $
* *
* @since 4.0 * @since 4.0
* *
* @deprecated Please use {@link java.net.URL#openConnection} instead. Please * @deprecated Please use {@link java.net.URL#openConnection} instead. Please
@@ -54,15 +54,15 @@ import org.apache.http.RequestLine;
@Deprecated @Deprecated
public class BasicHttpEntityEnclosingRequest extends BasicHttpRequest implements HttpEntityEnclosingRequest { public class BasicHttpEntityEnclosingRequest extends BasicHttpRequest implements HttpEntityEnclosingRequest {
public BasicHttpEntityEnclosingRequest(final String method, final String uri) { public BasicHttpEntityEnclosingRequest(final String method, final String uri) {
super(method, uri); super(null);
} }
public BasicHttpEntityEnclosingRequest(final String method, final String uri, final ProtocolVersion ver) { public BasicHttpEntityEnclosingRequest(final String method, final String uri, final ProtocolVersion ver) {
super(method, uri, ver); super(null);
} }
public BasicHttpEntityEnclosingRequest(final RequestLine requestline) { public BasicHttpEntityEnclosingRequest(final RequestLine requestline) {
super(requestline); super(null);
} }
public HttpEntity getEntity() { public HttpEntity getEntity() {