Merge pull request #8357 from p0wn4j/jdbc-url-ssrf-sink

Java: Add JDBC connection SSRF sinks

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -131,6 +131,8 @@ private module Frameworks {
   private import semmle.code.java.security.XPath
   private import semmle.code.java.security.XsltInjection
   private import semmle.code.java.frameworks.Jdbc
+  private import semmle.code.java.frameworks.Jdbi
+  private import semmle.code.java.frameworks.HikariCP
   private import semmle.code.java.frameworks.SpringJdbc
   private import semmle.code.java.frameworks.MyBatis
   private import semmle.code.java.frameworks.Hibernate

java/ql/lib/semmle/code/java/frameworks/HikariCP.qll

@@ -0,0 +1,17 @@
+/**
+ * Definitions of sinks in the Hikari Connection Pool library.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "com.zaxxer.hikari;HikariConfig;false;HikariConfig;(Properties);;Argument[0];jdbc-url",
+        "com.zaxxer.hikari;HikariConfig;false;setJdbcUrl;(String);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Jdbc.qll

@@ -52,3 +52,16 @@ private class SqlSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "java.sql;DriverManager;false;getConnection;(String);;Argument[0];jdbc-url",
+        "java.sql;DriverManager;false;getConnection;(String,Properties);;Argument[0];jdbc-url",
+        "java.sql;DriverManager;false;getConnection;(String,String,String);;Argument[0];jdbc-url",
+        "java.sql;Driver;false;connect;(String,Properties);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Jdbi.qll

@@ -0,0 +1,21 @@
+/**
+ * Definitions of sinks in the JDBI library.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.jdbi.v3.core;Jdbi;false;create;(String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;create;(String,Properties);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;create;(String,String,String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String,Properties);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String,String,String);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/SpringJdbc.qll

@@ -37,3 +37,17 @@ private class SqlSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.springframework.boot.jdbc;DataSourceBuilder;false;url;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;AbstractDriverBasedDataSource;false;setUrl;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String,String,String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String,Properties);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.spring.Spring
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Properties
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.dataflow.ExternalFlow
 
@@ -33,6 +34,20 @@ private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdd
   }
 }
 
+private class TypePropertiesRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
+  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      // Properties props = new Properties();
+      // props.setProperty("jdbcUrl", tainted);
+      // Propagate tainted value to the qualifier `props`
+      ma.getMethod() instanceof PropertiesSetPropertyMethod and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "jdbcUrl" and
+      pred.asExpr() = ma.getArgument(1) and
+      succ.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
 /** A data flow sink for server-side request forgery (SSRF) vulnerabilities. */
 abstract class RequestForgerySink extends DataFlow::Node { }
 
@@ -40,6 +55,10 @@ private class UrlOpenSinkAsRequestForgerySink extends RequestForgerySink {
   UrlOpenSinkAsRequestForgerySink() { sinkNode(this, "open-url") }
 }
 
+private class JdbcUrlSinkAsRequestForgerySink extends RequestForgerySink {
+  JdbcUrlSinkAsRequestForgerySink() { sinkNode(this, "jdbc-url") }
+}
+
 /** A sanitizer for request forgery vulnerabilities. */
 abstract class RequestForgerySanitizer extends DataFlow::Node { }