hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 10:23:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5408 from p0wn4j/urlclassloader-webclient-ssrf-sinks

Browse Source 
Java: Add URLClassLoader, WebClient SSRF sinks
This commit is contained in:
Chris Smowton
2021-07-01 16:14:22 +01:00
committed by GitHub
parent 05842dcdb3 e0a7f6e14f
commit 8b7db8a8cc
9 changed files with 296 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -218,6 +218,12 @@ private predicate sinkModelCsv(string row) {
"java.net;URL;false;openStream;;;Argument[-1];open-url",
"java.net.http;HttpRequest;false;newBuilder;;;Argument[0];open-url",
"java.net.http;HttpRequest$Builder;false;uri;;;Argument[0];open-url",
"java.net;URLClassLoader;false;URLClassLoader;(URL[]);;Argument[0];open-url",
"java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader);;Argument[0];open-url",
"java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader,URLStreamHandlerFactory);;Argument[0];open-url",
"java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader);;Argument[1];open-url",
"java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader,URLStreamHandlerFactory);;Argument[1];open-url",
"java.net;URLClassLoader;false;newInstance;;;Argument[0];open-url",
// Create file
"java.io;FileOutputStream;false;FileOutputStream;;;Argument[0];create-file",
"java.io;RandomAccessFile;false;RandomAccessFile;;;Argument[0];create-file",

4
java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
View File

@@ -45,7 +45,9 @@ private class UrlOpenSink extends SinkModelCsv {
"org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];open-url",
"org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];open-url",
"org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];open-url",
"org.springframework.web.client;RestTemplate;false;put;;;Argument[0];open-url"
"org.springframework.web.client;RestTemplate;false;put;;;Argument[0];open-url",
"org.springframework.web.reactive.function.client;WebClient;false;create;;;Argument[0];open-url",
"org.springframework.web.reactive.function.client;WebClient$Builder;false;baseUrl;;;Argument[0];open-url"
]
}
}