hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: convert RequestForgery test to .qlref

Browse Source
This commit is contained in:
Nora Dimitrijević
2025-06-24 11:28:40 +02:00
parent 7f05b72e10
commit aac4f63e9a
14 changed files with 2200 additions and 390 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java
View File

@@ -24,38 +24,38 @@ public class ApacheHttpSSRF extends HttpServlet {
throws ServletException, IOException {
try {
String sink = request.getParameter("uri");
String sink = request.getParameter("uri"); // $ Source
URI uri = new URI(sink);
HttpGet httpGet = new HttpGet(uri); // $ SSRF
HttpGet httpGet = new HttpGet(uri); // $ Alert
HttpGet httpGet2 = new HttpGet();
httpGet2.setURI(uri); // $ SSRF
httpGet2.setURI(uri); // $ Alert
new HttpHead(uri); // $ SSRF
new HttpPost(uri); // $ SSRF
new HttpPut(uri); // $ SSRF
new HttpDelete(uri); // $ SSRF
new HttpOptions(uri); // $ SSRF
new HttpTrace(uri); // $ SSRF
new HttpPatch(uri); // $ SSRF
new HttpHead(uri); // $ Alert
new HttpPost(uri); // $ Alert
new HttpPut(uri); // $ Alert
new HttpDelete(uri); // $ Alert
new HttpOptions(uri); // $ Alert
new HttpTrace(uri); // $ Alert
new HttpPatch(uri); // $ Alert
new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
new BasicHttpRequest("GET", uri.toString()); // $ SSRF
new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF
new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert
new BasicHttpRequest("GET", uri.toString()); // $ Alert
new BasicHttpRequest("GET", uri.toString(), null); // $ Alert
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert
new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ Alert
new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ Alert
RequestBuilder.get(uri); // $ SSRF
RequestBuilder.post(uri); // $ SSRF
RequestBuilder.put(uri); // $ SSRF
RequestBuilder.delete(uri); // $ SSRF
RequestBuilder.options(uri); // $ SSRF
RequestBuilder.head(uri); // $ SSRF
RequestBuilder.trace(uri); // $ SSRF
RequestBuilder.patch(uri); // $ SSRF
RequestBuilder.get("").setUri(uri); // $ SSRF
RequestBuilder.get(uri); // $ Alert
RequestBuilder.post(uri); // $ Alert
RequestBuilder.put(uri); // $ Alert
RequestBuilder.delete(uri); // $ Alert
RequestBuilder.options(uri); // $ Alert
RequestBuilder.head(uri); // $ Alert
RequestBuilder.trace(uri); // $ Alert
RequestBuilder.patch(uri); // $ Alert
RequestBuilder.get("").setUri(uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception

376
java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java
View File

@@ -38,134 +38,134 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
String hostSink = request.getParameter("host");
String hostSink = request.getParameter("host"); // $ Source
HttpHost host = new HttpHost(hostSink);
// org.apache.hc.client5.http.async.methods.BasicHttpRequests
BasicHttpRequests.create(Method.CONNECT, host, "path"); // $ SSRF
BasicHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF
BasicHttpRequests.create(Method.CONNECT, uri); // $ SSRF
BasicHttpRequests.create("method", uri.toString()); // $ SSRF
BasicHttpRequests.create("method", uri); // $ SSRF
BasicHttpRequests.create(Method.CONNECT, host, "path"); // $ Alert
BasicHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert
BasicHttpRequests.create(Method.CONNECT, uri); // $ Alert
BasicHttpRequests.create("method", uri.toString()); // $ Alert
BasicHttpRequests.create("method", uri); // $ Alert
BasicHttpRequests.delete(host, "path"); // $ SSRF
BasicHttpRequests.delete(uri.toString()); // $ SSRF
BasicHttpRequests.delete(uri); // $ SSRF
BasicHttpRequests.delete(host, "path"); // $ Alert
BasicHttpRequests.delete(uri.toString()); // $ Alert
BasicHttpRequests.delete(uri); // $ Alert
BasicHttpRequests.get(host, "path"); // $ SSRF
BasicHttpRequests.get(uri.toString()); // $ SSRF
BasicHttpRequests.get(uri); // $ SSRF
BasicHttpRequests.get(host, "path"); // $ Alert
BasicHttpRequests.get(uri.toString()); // $ Alert
BasicHttpRequests.get(uri); // $ Alert
BasicHttpRequests.head(host, "path"); // $ SSRF
BasicHttpRequests.head(uri.toString()); // $ SSRF
BasicHttpRequests.head(uri); // $ SSRF
BasicHttpRequests.head(host, "path"); // $ Alert
BasicHttpRequests.head(uri.toString()); // $ Alert
BasicHttpRequests.head(uri); // $ Alert
BasicHttpRequests.options(host, "path"); // $ SSRF
BasicHttpRequests.options(uri.toString()); // $ SSRF
BasicHttpRequests.options(uri); // $ SSRF
BasicHttpRequests.options(host, "path"); // $ Alert
BasicHttpRequests.options(uri.toString()); // $ Alert
BasicHttpRequests.options(uri); // $ Alert
BasicHttpRequests.patch(host, "path"); // $ SSRF
BasicHttpRequests.patch(uri.toString()); // $ SSRF
BasicHttpRequests.patch(uri); // $ SSRF
BasicHttpRequests.patch(host, "path"); // $ Alert
BasicHttpRequests.patch(uri.toString()); // $ Alert
BasicHttpRequests.patch(uri); // $ Alert
BasicHttpRequests.post(host, "path"); // $ SSRF
BasicHttpRequests.post(uri.toString()); // $ SSRF
BasicHttpRequests.post(uri); // $ SSRF
BasicHttpRequests.post(host, "path"); // $ Alert
BasicHttpRequests.post(uri.toString()); // $ Alert
BasicHttpRequests.post(uri); // $ Alert
BasicHttpRequests.put(host, "path"); // $ SSRF
BasicHttpRequests.put(uri.toString()); // $ SSRF
BasicHttpRequests.put(uri); // $ SSRF
BasicHttpRequests.put(host, "path"); // $ Alert
BasicHttpRequests.put(uri.toString()); // $ Alert
BasicHttpRequests.put(uri); // $ Alert
BasicHttpRequests.trace(host, "path"); // $ SSRF
BasicHttpRequests.trace(uri.toString()); // $ SSRF
BasicHttpRequests.trace(uri); // $ SSRF
BasicHttpRequests.trace(host, "path"); // $ Alert
BasicHttpRequests.trace(uri.toString()); // $ Alert
BasicHttpRequests.trace(uri); // $ Alert
// org.apache.hc.client5.http.async.methods.ConfigurableHttpRequest
new ConfigurableHttpRequest("method", host, "path"); // $ SSRF
new ConfigurableHttpRequest("method", uri); // $ SSRF
new ConfigurableHttpRequest("method", host, "path"); // $ Alert
new ConfigurableHttpRequest("method", uri); // $ Alert
// org.apache.hc.client5.http.async.methods.SimpleHttpRequest
new SimpleHttpRequest(Method.CONNECT, host, "path"); // $ SSRF
new SimpleHttpRequest(Method.CONNECT, uri); // $ SSRF
new SimpleHttpRequest("method", host, "path"); // $ SSRF
new SimpleHttpRequest("method", uri); // $ SSRF
new SimpleHttpRequest(Method.CONNECT, host, "path"); // $ Alert
new SimpleHttpRequest(Method.CONNECT, uri); // $ Alert
new SimpleHttpRequest("method", host, "path"); // $ Alert
new SimpleHttpRequest("method", uri); // $ Alert
SimpleHttpRequest.create(Method.CONNECT, host, "path"); // $ SSRF
SimpleHttpRequest.create(Method.CONNECT, uri); // $ SSRF
SimpleHttpRequest.create("method", uri.toString()); // $ SSRF
SimpleHttpRequest.create("method", uri); // $ SSRF
SimpleHttpRequest.create(Method.CONNECT, host, "path"); // $ Alert
SimpleHttpRequest.create(Method.CONNECT, uri); // $ Alert
SimpleHttpRequest.create("method", uri.toString()); // $ Alert
SimpleHttpRequest.create("method", uri); // $ Alert
// org.apache.hc.client5.http.async.methods.SimpleHttpRequests
SimpleHttpRequests.create(Method.CONNECT, host, "path"); // $ SSRF
SimpleHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF
SimpleHttpRequests.create(Method.CONNECT, uri); // $ SSRF
SimpleHttpRequests.create("method", uri.toString()); // $ SSRF
SimpleHttpRequests.create("method", uri); // $ SSRF
SimpleHttpRequests.create(Method.CONNECT, host, "path"); // $ Alert
SimpleHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert
SimpleHttpRequests.create(Method.CONNECT, uri); // $ Alert
SimpleHttpRequests.create("method", uri.toString()); // $ Alert
SimpleHttpRequests.create("method", uri); // $ Alert
SimpleHttpRequests.delete(host, "path"); // $ SSRF
SimpleHttpRequests.delete(uri.toString()); // $ SSRF
SimpleHttpRequests.delete(uri); // $ SSRF
SimpleHttpRequests.delete(host, "path"); // $ Alert
SimpleHttpRequests.delete(uri.toString()); // $ Alert
SimpleHttpRequests.delete(uri); // $ Alert
SimpleHttpRequests.get(host, "path"); // $ SSRF
SimpleHttpRequests.get(uri.toString()); // $ SSRF
SimpleHttpRequests.get(uri); // $ SSRF
SimpleHttpRequests.get(host, "path"); // $ Alert
SimpleHttpRequests.get(uri.toString()); // $ Alert
SimpleHttpRequests.get(uri); // $ Alert
SimpleHttpRequests.head(host, "path"); // $ SSRF
SimpleHttpRequests.head(uri.toString()); // $ SSRF
SimpleHttpRequests.head(uri); // $ SSRF
SimpleHttpRequests.head(host, "path"); // $ Alert
SimpleHttpRequests.head(uri.toString()); // $ Alert
SimpleHttpRequests.head(uri); // $ Alert
SimpleHttpRequests.options(host, "path"); // $ SSRF
SimpleHttpRequests.options(uri.toString()); // $ SSRF
SimpleHttpRequests.options(uri); // $ SSRF
SimpleHttpRequests.options(host, "path"); // $ Alert
SimpleHttpRequests.options(uri.toString()); // $ Alert
SimpleHttpRequests.options(uri); // $ Alert
SimpleHttpRequests.patch(host, "path"); // $ SSRF
SimpleHttpRequests.patch(uri.toString()); // $ SSRF
SimpleHttpRequests.patch(uri); // $ SSRF
SimpleHttpRequests.patch(host, "path"); // $ Alert
SimpleHttpRequests.patch(uri.toString()); // $ Alert
SimpleHttpRequests.patch(uri); // $ Alert
SimpleHttpRequests.post(host, "path"); // $ SSRF
SimpleHttpRequests.post(uri.toString()); // $ SSRF
SimpleHttpRequests.post(uri); // $ SSRF
SimpleHttpRequests.post(host, "path"); // $ Alert
SimpleHttpRequests.post(uri.toString()); // $ Alert
SimpleHttpRequests.post(uri); // $ Alert
SimpleHttpRequests.put(host, "path"); // $ SSRF
SimpleHttpRequests.put(uri.toString()); // $ SSRF
SimpleHttpRequests.put(uri); // $ SSRF
SimpleHttpRequests.put(host, "path"); // $ Alert
SimpleHttpRequests.put(uri.toString()); // $ Alert
SimpleHttpRequests.put(uri); // $ Alert
SimpleHttpRequests.trace(host, "path"); // $ SSRF
SimpleHttpRequests.trace(uri.toString()); // $ SSRF
SimpleHttpRequests.trace(uri); // $ SSRF
SimpleHttpRequests.trace(host, "path"); // $ Alert
SimpleHttpRequests.trace(uri.toString()); // $ Alert
SimpleHttpRequests.trace(uri); // $ Alert
// org.apache.hc.client5.http.async.methods.SimpleRequestBuilder
SimpleRequestBuilder.delete(uri.toString()); // $ SSRF
SimpleRequestBuilder.delete(uri); // $ SSRF
SimpleRequestBuilder.delete(uri.toString()); // $ Alert
SimpleRequestBuilder.delete(uri); // $ Alert
SimpleRequestBuilder.get(uri.toString()); // $ SSRF
SimpleRequestBuilder.get(uri); // $ SSRF
SimpleRequestBuilder.get(uri.toString()); // $ Alert
SimpleRequestBuilder.get(uri); // $ Alert
SimpleRequestBuilder.head(uri.toString()); // $ SSRF
SimpleRequestBuilder.head(uri); // $ SSRF
SimpleRequestBuilder.head(uri.toString()); // $ Alert
SimpleRequestBuilder.head(uri); // $ Alert
SimpleRequestBuilder.options(uri.toString()); // $ SSRF
SimpleRequestBuilder.options(uri); // $ SSRF
SimpleRequestBuilder.options(uri.toString()); // $ Alert
SimpleRequestBuilder.options(uri); // $ Alert
SimpleRequestBuilder.patch(uri.toString()); // $ SSRF
SimpleRequestBuilder.patch(uri); // $ SSRF
SimpleRequestBuilder.patch(uri.toString()); // $ Alert
SimpleRequestBuilder.patch(uri); // $ Alert
SimpleRequestBuilder.post(uri.toString()); // $ SSRF
SimpleRequestBuilder.post(uri); // $ SSRF
SimpleRequestBuilder.post(uri.toString()); // $ Alert
SimpleRequestBuilder.post(uri); // $ Alert
SimpleRequestBuilder.put(uri.toString()); // $ SSRF
SimpleRequestBuilder.put(uri); // $ SSRF
SimpleRequestBuilder.put(uri.toString()); // $ Alert
SimpleRequestBuilder.put(uri); // $ Alert
SimpleRequestBuilder.get().setHttpHost(host); // $ SSRF
SimpleRequestBuilder.get().setHttpHost(host); // $ Alert
SimpleRequestBuilder.get().setUri(uri.toString()); // $ SSRF
SimpleRequestBuilder.get().setUri(uri); // $ SSRF
SimpleRequestBuilder.get().setUri(uri.toString()); // $ Alert
SimpleRequestBuilder.get().setUri(uri); // $ Alert
SimpleRequestBuilder.trace(uri.toString()); // $ SSRF
SimpleRequestBuilder.trace(uri); // $ SSRF
SimpleRequestBuilder.trace(uri.toString()); // $ Alert
SimpleRequestBuilder.trace(uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception
@@ -177,66 +177,66 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
// org.apache.hc.client5.http.classic.methods.ClassicHttpRequests
ClassicHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF
ClassicHttpRequests.create(Method.CONNECT, uri); // $ SSRF
ClassicHttpRequests.create("method", uri.toString()); // $ SSRF
ClassicHttpRequests.create("method", uri); // $ SSRF
ClassicHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert
ClassicHttpRequests.create(Method.CONNECT, uri); // $ Alert
ClassicHttpRequests.create("method", uri.toString()); // $ Alert
ClassicHttpRequests.create("method", uri); // $ Alert
ClassicHttpRequests.delete(uri.toString()); // $ SSRF
ClassicHttpRequests.delete(uri); // $ SSRF
ClassicHttpRequests.delete(uri.toString()); // $ Alert
ClassicHttpRequests.delete(uri); // $ Alert
ClassicHttpRequests.get(uri.toString()); // $ SSRF
ClassicHttpRequests.get(uri); // $ SSRF
ClassicHttpRequests.get(uri.toString()); // $ Alert
ClassicHttpRequests.get(uri); // $ Alert
ClassicHttpRequests.head(uri.toString()); // $ SSRF
ClassicHttpRequests.head(uri); // $ SSRF
ClassicHttpRequests.head(uri.toString()); // $ Alert
ClassicHttpRequests.head(uri); // $ Alert
ClassicHttpRequests.options(uri.toString()); // $ SSRF
ClassicHttpRequests.options(uri); // $ SSRF
ClassicHttpRequests.options(uri.toString()); // $ Alert
ClassicHttpRequests.options(uri); // $ Alert
ClassicHttpRequests.patch(uri.toString()); // $ SSRF
ClassicHttpRequests.patch(uri); // $ SSRF
ClassicHttpRequests.patch(uri.toString()); // $ Alert
ClassicHttpRequests.patch(uri); // $ Alert
ClassicHttpRequests.post(uri.toString()); // $ SSRF
ClassicHttpRequests.post(uri); // $ SSRF
ClassicHttpRequests.post(uri.toString()); // $ Alert
ClassicHttpRequests.post(uri); // $ Alert
ClassicHttpRequests.put(uri.toString()); // $ SSRF
ClassicHttpRequests.put(uri); // $ SSRF
ClassicHttpRequests.put(uri.toString()); // $ Alert
ClassicHttpRequests.put(uri); // $ Alert
ClassicHttpRequests.trace(uri.toString()); // $ SSRF
ClassicHttpRequests.trace(uri); // $ SSRF
ClassicHttpRequests.trace(uri.toString()); // $ Alert
ClassicHttpRequests.trace(uri); // $ Alert
// org.apache.hc.client5.http.classic.methods.HttpDelete through HttpTrace
new HttpDelete(uri.toString()); // $ SSRF
new HttpDelete(uri); // $ SSRF
new HttpDelete(uri.toString()); // $ Alert
new HttpDelete(uri); // $ Alert
new HttpGet(uri.toString()); // $ SSRF
new HttpGet(uri); // $ SSRF
new HttpGet(uri.toString()); // $ Alert
new HttpGet(uri); // $ Alert
new HttpHead(uri.toString()); // $ SSRF
new HttpHead(uri); // $ SSRF
new HttpHead(uri.toString()); // $ Alert
new HttpHead(uri); // $ Alert
new HttpOptions(uri.toString()); // $ SSRF
new HttpOptions(uri); // $ SSRF
new HttpOptions(uri.toString()); // $ Alert
new HttpOptions(uri); // $ Alert
new HttpPatch(uri.toString()); // $ SSRF
new HttpPatch(uri); // $ SSRF
new HttpPatch(uri.toString()); // $ Alert
new HttpPatch(uri); // $ Alert
new HttpPost(uri.toString()); // $ SSRF
new HttpPost(uri); // $ SSRF
new HttpPost(uri.toString()); // $ Alert
new HttpPost(uri); // $ Alert
new HttpPut(uri.toString()); // $ SSRF
new HttpPut(uri); // $ SSRF
new HttpPut(uri.toString()); // $ Alert
new HttpPut(uri); // $ Alert
new HttpTrace(uri.toString()); // $ SSRF
new HttpTrace(uri); // $ SSRF
new HttpTrace(uri.toString()); // $ Alert
new HttpTrace(uri); // $ Alert
// org.apache.hc.client5.http.classic.methods.HttpUriRequestBase
new HttpUriRequestBase("method", uri); // $ SSRF
new HttpUriRequestBase("method", uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception
@@ -248,37 +248,37 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
// org.apache.hc.client5.http.fluent.Request
Request.create(Method.CONNECT, uri); // $ SSRF
Request.create("method", uri.toString()); // $ SSRF
Request.create("method", uri); // $ SSRF
Request.create(Method.CONNECT, uri); // $ Alert
Request.create("method", uri.toString()); // $ Alert
Request.create("method", uri); // $ Alert
Request.delete(uri.toString()); // $ SSRF
Request.delete(uri); // $ SSRF
Request.delete(uri.toString()); // $ Alert
Request.delete(uri); // $ Alert
Request.get(uri.toString()); // $ SSRF
Request.get(uri); // $ SSRF
Request.get(uri.toString()); // $ Alert
Request.get(uri); // $ Alert
Request.head(uri.toString()); // $ SSRF
Request.head(uri); // $ SSRF
Request.head(uri.toString()); // $ Alert
Request.head(uri); // $ Alert
Request.options(uri.toString()); // $ SSRF
Request.options(uri); // $ SSRF
Request.options(uri.toString()); // $ Alert
Request.options(uri); // $ Alert
Request.patch(uri.toString()); // $ SSRF
Request.patch(uri); // $ SSRF
Request.patch(uri.toString()); // $ Alert
Request.patch(uri); // $ Alert
Request.post(uri.toString()); // $ SSRF
Request.post(uri); // $ SSRF
Request.post(uri.toString()); // $ Alert
Request.post(uri); // $ Alert
Request.put(uri.toString()); // $ SSRF
Request.put(uri); // $ SSRF
Request.put(uri.toString()); // $ Alert
Request.put(uri); // $ Alert
Request.trace(uri.toString()); // $ SSRF
Request.trace(uri); // $ SSRF
Request.trace(uri.toString()); // $ Alert
Request.trace(uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception
@@ -292,26 +292,26 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
String hostSink = request.getParameter("host");
String hostSink = request.getParameter("host"); // $ Source
HttpHost host = new HttpHost(hostSink);
// org.apache.hc.core5.http.impl.bootstrap
HttpAsyncRequester httpAsyncReq = new HttpAsyncRequester(null, null, null, null, null, null);
httpAsyncReq.connect(host, null); // $ SSRF
httpAsyncReq.connect(host, null, null, null); // $ SSRF
httpAsyncReq.connect(host, null); // $ Alert
httpAsyncReq.connect(host, null, null, null); // $ Alert
// org.apache.hc.core5.http.impl.io
DefaultClassicHttpRequestFactory defClassicHttpReqFact = new DefaultClassicHttpRequestFactory();
defClassicHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF
defClassicHttpReqFact.newHttpRequest("method", uri); // $ SSRF
defClassicHttpReqFact.newHttpRequest("method", uri.toString()); // $ Alert
defClassicHttpReqFact.newHttpRequest("method", uri); // $ Alert
// org.apache.hc.core5.http.impl.nio
DefaultHttpRequestFactory defHttpReqFact = new DefaultHttpRequestFactory();
defHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF
defHttpReqFact.newHttpRequest("method", uri); // $ SSRF
defHttpReqFact.newHttpRequest("method", uri.toString()); // $ Alert
defHttpReqFact.newHttpRequest("method", uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception
@@ -323,41 +323,41 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
String hostSink = request.getParameter("host");
String hostSink = request.getParameter("host"); // $ Source
HttpHost host = new HttpHost(hostSink);
// org.apache.hc.core5.http.io.support.ClassicRequestBuilder
ClassicRequestBuilder.delete(uri.toString()); // $ SSRF
ClassicRequestBuilder.delete(uri); // $ SSRF
ClassicRequestBuilder.delete(uri.toString()); // $ Alert
ClassicRequestBuilder.delete(uri); // $ Alert
ClassicRequestBuilder.get(uri.toString()); // $ SSRF
ClassicRequestBuilder.get(uri); // $ SSRF
ClassicRequestBuilder.get(uri.toString()); // $ Alert
ClassicRequestBuilder.get(uri); // $ Alert
ClassicRequestBuilder.head(uri.toString()); // $ SSRF
ClassicRequestBuilder.head(uri); // $ SSRF
ClassicRequestBuilder.head(uri.toString()); // $ Alert
ClassicRequestBuilder.head(uri); // $ Alert
ClassicRequestBuilder.options(uri.toString()); // $ SSRF
ClassicRequestBuilder.options(uri); // $ SSRF
ClassicRequestBuilder.options(uri.toString()); // $ Alert
ClassicRequestBuilder.options(uri); // $ Alert
ClassicRequestBuilder.patch(uri.toString()); // $ SSRF
ClassicRequestBuilder.patch(uri); // $ SSRF
ClassicRequestBuilder.patch(uri.toString()); // $ Alert
ClassicRequestBuilder.patch(uri); // $ Alert
ClassicRequestBuilder.post(uri.toString()); // $ SSRF
ClassicRequestBuilder.post(uri); // $ SSRF
ClassicRequestBuilder.post(uri.toString()); // $ Alert
ClassicRequestBuilder.post(uri); // $ Alert
ClassicRequestBuilder.put(uri.toString()); // $ SSRF
ClassicRequestBuilder.put(uri); // $ SSRF
ClassicRequestBuilder.put(uri.toString()); // $ Alert
ClassicRequestBuilder.put(uri); // $ Alert
ClassicRequestBuilder.get().setHttpHost(host); // $ SSRF
ClassicRequestBuilder.get().setHttpHost(host); // $ Alert
ClassicRequestBuilder.get().setUri(uri.toString()); // $ SSRF
ClassicRequestBuilder.get().setUri(uri); // $ SSRF
ClassicRequestBuilder.get().setUri(uri.toString()); // $ Alert
ClassicRequestBuilder.get().setUri(uri); // $ Alert
ClassicRequestBuilder.trace(uri.toString()); // $ SSRF
ClassicRequestBuilder.trace(uri); // $ SSRF
ClassicRequestBuilder.trace(uri.toString()); // $ Alert
ClassicRequestBuilder.trace(uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception
@@ -369,29 +369,29 @@ public class ApacheHttpSSRFVersion5 extends HttpServlet {
throws ServletException, IOException {
try {
String uriSink = request.getParameter("uri");
String uriSink = request.getParameter("uri"); // $ Source
URI uri = new URI(uriSink);
String hostSink = request.getParameter("host");
String hostSink = request.getParameter("host"); // $ Source
HttpHost host = new HttpHost(hostSink);
// BasicClassicHttpRequest
new BasicClassicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF
new BasicClassicHttpRequest(Method.CONNECT, uri); // $ SSRF
new BasicClassicHttpRequest("method", host, "path"); // $ SSRF
new BasicClassicHttpRequest("method", uri); // $ SSRF
new BasicClassicHttpRequest(Method.CONNECT, host, "path"); // $ Alert
new BasicClassicHttpRequest(Method.CONNECT, uri); // $ Alert
new BasicClassicHttpRequest("method", host, "path"); // $ Alert
new BasicClassicHttpRequest("method", uri); // $ Alert
// BasicHttpRequest
new BasicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF
new BasicHttpRequest(Method.CONNECT, uri); // $ SSRF
new BasicHttpRequest("method", host, "path"); // $ SSRF
new BasicHttpRequest("method", uri); // $ SSRF
new BasicHttpRequest(Method.CONNECT, host, "path"); // $ Alert
new BasicHttpRequest(Method.CONNECT, uri); // $ Alert
new BasicHttpRequest("method", host, "path"); // $ Alert
new BasicHttpRequest("method", uri); // $ Alert
BasicHttpRequest bhr = new BasicHttpRequest("method", "path");
bhr.setUri(uri); // $ SSRF
bhr.setUri(uri); // $ Alert
// HttpRequestWrapper
HttpRequestWrapper hrw = new HttpRequestWrapper(null);
hrw.setUri(uri); // $ SSRF
hrw.setUri(uri); // $ Alert
} catch (Exception e) {
// TODO: handle exception

4
java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java
View File

@@ -11,8 +11,8 @@ public class JakartaWsSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Client client = ClientBuilder.newClient();
String url = request.getParameter("url");
client.target(url); // $ SSRF
String url = request.getParameter("url"); // $ Source
client.target(url); // $ Alert
}
}

12
java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java
View File

@@ -22,21 +22,21 @@ public class JavaNetHttpSSRF extends HttpServlet {
throws ServletException, IOException {
try {
String sink = request.getParameter("uri");
String sink = request.getParameter("uri"); // $ Source
URI uri = new URI(sink);
URI uri2 = new URI("http", sink, "fragement");
URL url1 = new URL(sink);
URLConnection c1 = url1.openConnection(); // $ SSRF
URLConnection c1 = url1.openConnection(); // $ Alert
SocketAddress sa = new SocketAddress() {
};
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
InputStream c3 = url1.openStream(); // $ SSRF
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ Alert
InputStream c3 = url1.openStream(); // $ Alert
// java.net.http
HttpClient client = HttpClient.newHttpClient();
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ Alert
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ Alert
} catch (Exception e) {
// TODO: handle exception

4
java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java
View File

@@ -11,8 +11,8 @@ public class JaxWsSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
Client client = ClientBuilder.newClient();
String url = request.getParameter("url");
client.target(url); // $ SSRF
String url = request.getParameter("url"); // $ Source
client.target(url); // $ Alert
}
}

62
java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java
View File

@@ -17,75 +17,75 @@ public class JdbcUrlSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String jdbcUrl = request.getParameter("jdbcUrl");
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
Driver driver = new org.postgresql.Driver();
DataSourceBuilder dsBuilder = DataSourceBuilder.create();
try {
driver.connect(jdbcUrl, null); // $ SSRF
driver.connect(jdbcUrl, null); // $ Alert
DriverManager.getConnection(jdbcUrl); // $ SSRF
DriverManager.getConnection(jdbcUrl, "user", "password"); // $ SSRF
DriverManager.getConnection(jdbcUrl, null); // $ SSRF
DriverManager.getConnection(jdbcUrl); // $ Alert
DriverManager.getConnection(jdbcUrl, "user", "password"); // $ Alert
DriverManager.getConnection(jdbcUrl, null); // $ Alert
dsBuilder.url(jdbcUrl); // $ SSRF
dsBuilder.url(jdbcUrl); // $ Alert
}
catch(SQLException e) {}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String jdbcUrl = request.getParameter("jdbcUrl");
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
HikariConfig config = new HikariConfig();
config.setJdbcUrl(jdbcUrl); // $ SSRF
config.setJdbcUrl(jdbcUrl); // $ Alert
config.setUsername("database_username");
config.setPassword("database_password");
HikariDataSource ds = new HikariDataSource();
ds.setJdbcUrl(jdbcUrl); // $ SSRF
ds.setJdbcUrl(jdbcUrl); // $ Alert
Properties props = new Properties();
props.setProperty("driverClassName", "org.postgresql.Driver");
props.setProperty("jdbcUrl", jdbcUrl);
HikariConfig config2 = new HikariConfig(props); // $ SSRF
HikariConfig config2 = new HikariConfig(props); // $ Alert
}
protected void doPut(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String jdbcUrl = request.getParameter("jdbcUrl");
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName("org.postgresql.Driver");
dataSource.setUrl(jdbcUrl); // $ SSRF
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ SSRF
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName("org.postgresql.Driver");
dataSource.setUrl(jdbcUrl); // $ Alert
DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ Alert
dataSource2.setDriverClassName("org.postgresql.Driver");
DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ SSRF
DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ Alert
dataSource3.setDriverClassName("org.postgresql.Driver");
DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ SSRF
DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ Alert
dataSource4.setDriverClassName("org.postgresql.Driver");
}
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String jdbcUrl = request.getParameter("jdbcUrl");
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
Jdbi.create(jdbcUrl); // $ SSRF
Jdbi.create(jdbcUrl, null); // $ SSRF
Jdbi.create(jdbcUrl, "user", "pass"); // $ SSRF
Jdbi.create(jdbcUrl); // $ Alert
Jdbi.create(jdbcUrl, null); // $ Alert
Jdbi.create(jdbcUrl, "user", "pass"); // $ Alert
Jdbi.open(jdbcUrl); // $ SSRF
Jdbi.open(jdbcUrl, null); // $ SSRF
Jdbi.open(jdbcUrl, "user", "pass"); // $ SSRF
Jdbi.open(jdbcUrl); // $ Alert
Jdbi.open(jdbcUrl, null); // $ Alert
Jdbi.open(jdbcUrl, "user", "pass"); // $ Alert
}
}
}

10
java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java
View File

@@ -12,8 +12,8 @@ public class ReactiveWebClientSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
WebClient webClient = WebClient.create(url); // $ SSRF
String url = request.getParameter("uri"); // $ Source
WebClient webClient = WebClient.create(url); // $ Alert
Mono<String> result = webClient.get()
.uri("/")
@@ -29,10 +29,10 @@ public class ReactiveWebClientSSRF extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
WebClient webClient = WebClient.builder()
.defaultHeader("User-Agent", "Java")
.baseUrl(url) // $ SSRF
.baseUrl(url) // $ Alert
.build();
@@ -46,4 +46,4 @@ public class ReactiveWebClientSSRF extends HttpServlet {
// Ignore
}
}
}
}

1825
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
View File

File diff suppressed because it is too large Load Diff

19
java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
View File

@@ -1,19 +0,0 @@
import java
import semmle.code.java.security.RequestForgeryConfig
import utils.test.InlineExpectationsTest
module HasFlowTest implements TestSig {
string getARelevantTag() { result = "SSRF" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "SSRF" and
exists(DataFlow::Node sink |
RequestForgeryFlow::flowTo(sink) and
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<HasFlowTest>

4
java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-918/RequestForgery.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

74
java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
View File

@@ -16,11 +16,11 @@ public class SanitizationTests extends HttpServlet {
throws ServletException, IOException {
try {
URI uri = new URI(request.getParameter("uri"));
URI uri = new URI(request.getParameter("uri")); // $ Source
// BAD: a request parameter is incorporated without validation into a Http
// request
HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
client.send(r, null); // $ SSRF
HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ Alert
client.send(r, null); // $ Alert
// GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
// We test a few different ways of sanitisation: via string conctentation (perhaps nested),
@@ -72,55 +72,55 @@ public class SanitizationTests extends HttpServlet {
// BAD: cases where a string that would sanitise is used, but occurs in the wrong
// place to sanitise user input:
String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); // $ SSRF
client.send(unsafer3, null); // $ SSRF
String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/"; // $ Source
HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); // $ Alert
client.send(unsafer3, null); // $ Alert
String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
client.send(unsafer4, null); // $ SSRF
String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/"; // $ Source
HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ Alert
client.send(unsafer4, null); // $ Alert
StringBuilder unsafeUri5 = new StringBuilder();
unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
client.send(unsafer5, null); // $ SSRF
unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/"); // $ Source
HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ Alert
client.send(unsafer5, null); // $ Alert
StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a")); // $ Source
unafeUri5a.append("https://example.com/");
HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
client.send(unsafer5a, null); // $ SSRF
HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ Alert
client.send(unsafer5a, null); // $ Alert
StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/"); // $ Source
unsafeUri5b.append("https://example.com/");
HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
client.send(unsafer5b, null); // $ SSRF
HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ Alert
client.send(unsafer5b, null); // $ Alert
StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c")); // $ Source
unsafeUri5c.append("://example.com/dir/");
HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
client.send(unsafer5c, null); // $ SSRF
HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ Alert
client.send(unsafer5c, null); // $ Alert
String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
client.send(unsafer6, null); // $ SSRF
String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6")); // $ Source
HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ Alert
client.send(unsafer6, null); // $ Alert
String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
client.send(unsafer7, null); // $ SSRF
String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com"); // $ Source
HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ Alert
client.send(unsafer7, null); // $ Alert
String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
client.send(unsafer8, null); // $ SSRF
String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/"); // $ Source
HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ Alert
client.send(unsafer8, null); // $ Alert
String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
client.send(unsafer9, null); // $ SSRF
String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com"); // $ Source
HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ Alert
client.send(unsafer9, null); // $ Alert
String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10"));
HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ SSRF
client.send(unsafer10, null); // $ SSRF
String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); // $ Source
HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ Alert
client.send(unsafer10, null); // $ Alert
} catch (Exception e) {
// TODO: handle exception
}
}
}
}

62
java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
View File

@@ -25,54 +25,54 @@ public class SpringSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
throws ServletException, IOException {
String fooResourceUrl = request2.getParameter("uri");;
String fooResourceUrl = request2.getParameter("uri"); // $ Source
RestTemplate restTemplate = new RestTemplate();
HttpEntity<String> request = new HttpEntity<>(new String("bar"));
try {
restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ SSRF
restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF
restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF
restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF
restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ SSRF
restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ SSRF
restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ Alert
restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ Alert
restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ Alert
restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ Alert
restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ Alert
restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ Alert
restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // not bad - the tainted value does not affect the host
restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // not bad - the tainted value is unused
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SSRF
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ Alert
restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // not bad - the tainted value does not affect the host
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the key for the tainted value is unused
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: Alert // not bad - the key for the tainted value is unused
restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", fooResourceUrl, "unused")); // not bad - the tainted value is in a map key
restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF
restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ SSRF
restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF
restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ SSRF
restTemplate.put(fooResourceUrl, new String("object")); // $ SSRF
restTemplate.delete(fooResourceUrl); // $ SSRF
restTemplate.headForHeaders(fooResourceUrl); // $ SSRF
restTemplate.optionsForAllow(fooResourceUrl); // $ SSRF
restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ Alert
restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ Alert
restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ Alert
restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ Alert
restTemplate.put(fooResourceUrl, new String("object")); // $ Alert
restTemplate.delete(fooResourceUrl); // $ Alert
restTemplate.headForHeaders(fooResourceUrl); // $ Alert
restTemplate.optionsForAllow(fooResourceUrl); // $ Alert
{
String body = new String("body");
URI uri = new URI(fooResourceUrl);
RequestEntity<String> requestEntity =
RequestEntity.post(uri).body(body); // $ SSRF
RequestEntity.post(uri).body(body); // $ Alert
ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
RequestEntity.get(uri); // $ SSRF
RequestEntity.put(uri); // $ SSRF
RequestEntity.delete(uri); // $ SSRF
RequestEntity.options(uri); // $ SSRF
RequestEntity.patch(uri); // $ SSRF
RequestEntity.head(uri); // $ SSRF
RequestEntity.method(null, uri); // $ SSRF
RequestEntity.get(uri); // $ Alert
RequestEntity.put(uri); // $ Alert
RequestEntity.delete(uri); // $ Alert
RequestEntity.options(uri); // $ Alert
RequestEntity.patch(uri); // $ Alert
RequestEntity.head(uri); // $ Alert
RequestEntity.method(null, uri); // $ Alert
}
{
URI uri = new URI(fooResourceUrl);
MultiValueMap<String, String> headers = null;
java.lang.reflect.Type type = null;
new RequestEntity<String>(null, uri); // $ SSRF
new RequestEntity<String>(headers, null, uri); // $ SSRF
new RequestEntity<String>("body", null, uri); // $ SSRF
new RequestEntity<String>("body", headers, null, uri); // $ SSRF
new RequestEntity<String>("body", null, uri, type); // $ SSRF
new RequestEntity<String>("body", headers, null, uri, type); // $ SSRF
new RequestEntity<String>(null, uri); // $ Alert
new RequestEntity<String>(headers, null, uri); // $ Alert
new RequestEntity<String>("body", null, uri); // $ Alert
new RequestEntity<String>("body", headers, null, uri); // $ Alert
new RequestEntity<String>("body", null, uri, type); // $ Alert
new RequestEntity<String>("body", headers, null, uri, type); // $ Alert
}
} catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
}

26
java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java
View File

@@ -13,9 +13,9 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ SSRF
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ Alert
Class<?> test = urlClassLoader.loadClass("test");
} catch (Exception e) {
// Ignore
@@ -25,9 +25,9 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ SSRF
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ Alert
Class<?> test = urlClassLoader.loadClass("test");
} catch (Exception e) {
// Ignore
@@ -37,11 +37,11 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doPut(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLStreamHandlerFactory urlStreamHandlerFactory = null;
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ SSRF
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ Alert
urlClassLoader.findResource("test");
} catch (Exception e) {
// Ignore
@@ -51,9 +51,9 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ SSRF
URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ Alert
urlClassLoader.getResourceAsStream("test");
} catch (Exception e) {
// Ignore
@@ -63,11 +63,11 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doOptions(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader =
new URLClassLoader("testClassLoader",
new URL[]{uri.toURL()}, // $ SSRF
new URL[]{uri.toURL()}, // $ Alert
URLClassLoaderSSRF.class.getClassLoader()
);
@@ -80,13 +80,13 @@ public class URLClassLoaderSSRF extends HttpServlet {
protected void doTrace(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri");
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLStreamHandlerFactory urlStreamHandlerFactory = null;
URLClassLoader urlClassLoader =
new URLClassLoader("testClassLoader",
new URL[]{uri.toURL()}, // $ SSRF
new URL[]{uri.toURL()}, // $ Alert
URLClassLoaderSSRF.class.getClassLoader(),
urlStreamHandlerFactory
);
@@ -96,4 +96,4 @@ public class URLClassLoaderSSRF extends HttpServlet {
// Ignore
}
}
}
}

62
java/ql/test/query-tests/security/CWE-918/mad/Test.java
View File

@@ -23,93 +23,93 @@ public class Test {
private static HttpServletRequest request;
public static Object source() {
return request.getParameter(null);
return request.getParameter(null); // $ Source
}
public void test(DatagramSocket socket) throws Exception {
// "java.net;DatagramSocket;true;connect;(SocketAddress);;Argument[0];open-url;ai-generated"
socket.connect((SocketAddress) source()); // $ SSRF
socket.connect((SocketAddress) source()); // $ Alert
}
public void test(URL url) throws Exception {
// "java.net;URL;false;openConnection;(Proxy);:Argument[this]:open-url;manual"
((URL) source()).openConnection(); // $ SSRF
((URL) source()).openConnection(); // $ Alert
// "java.net;URL;false;openConnection;(Proxy);:Argument[0]:open-url;ai-generated"
url.openConnection((Proxy) source()); // $ SSRF
url.openConnection((Proxy) source()); // $ Alert
// "java.net;URL;false;openStream;;:Argument[this]:open-url;manual"
((URL) source()).openStream(); // $ SSRF
((URL) source()).openStream(); // $ Alert
}
public void test() throws Exception {
// "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader);;Argument[1];open-url;manual"
new URLClassLoader("", (URL[]) source(), null); // $ SSRF
new URLClassLoader("", (URL[]) source(), null); // $ Alert
// "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader,URLStreamHandlerFactory);;Argument[1];open-url;manual"
new URLClassLoader("", (URL[]) source(), null, null); // $ SSRF
new URLClassLoader("", (URL[]) source(), null, null); // $ Alert
// "java.net;URLClassLoader;false;URLClassLoader;(URL[]);;Argument[0];open-url;manual"
new URLClassLoader((URL[]) source()); // $ SSRF
new URLClassLoader((URL[]) source()); // $ Alert
// "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader);;Argument[0];open-url;manual"
new URLClassLoader((URL[]) source(), null); // $ SSRF
new URLClassLoader((URL[]) source(), null); // $ Alert
// "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader,URLStreamHandlerFactory);;Argument[0];open-url;manual"
new URLClassLoader((URL[]) source(), null, null); // $ SSRF
new URLClassLoader((URL[]) source(), null, null); // $ Alert
// "java.net;URLClassLoader;false;newInstance;;;Argument[0];open-url;manual"
URLClassLoader.newInstance((URL[]) source()); // $ SSRF
URLClassLoader.newInstance((URL[]) source()); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL,URL);;Argument[1];open-url;ai-generated"
new JellyContext(null, (URL) source(), null); // $ SSRF
new JellyContext(null, (URL) source(), null); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL,URL);;Argument[2];open-url;ai-generated"
new JellyContext(null, null, (URL) source()); // $ SSRF
new JellyContext(null, null, (URL) source()); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL);;Argument[1];open-url;ai-generated"
new JellyContext((JellyContext) null, (URL) source()); // $ SSRF
new JellyContext((JellyContext) null, (URL) source()); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL,URL);;Argument[0];open-url;ai-generated"
new JellyContext((URL) source(), null); // $ SSRF
new JellyContext((URL) source(), null); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL,URL);;Argument[1];open-url;ai-generated"
new JellyContext((URL) null, (URL) source()); // $ SSRF
new JellyContext((URL) null, (URL) source()); // $ Alert
// "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL);;Argument[0];open-url;ai-generated"
new JellyContext((URL) source()); // $ SSRF
new JellyContext((URL) source()); // $ Alert
// "javax.activation;URLDataSource;true;URLDataSource;(URL);;Argument[0];request-forgery;manual"
new URLDataSource((URL) source()); // $ SSRF
new URLDataSource((URL) source()); // $ Alert
// "org.apache.cxf.catalog;OASISCatalogManager;true;loadCatalog;(URL);;Argument[0];request-forgery;manual"
new OASISCatalogManager().loadCatalog((URL) source()); // $ SSRF
new OASISCatalogManager().loadCatalog((URL) source()); // $ Alert
// @formatter:off
// "org.apache.cxf.common.classloader;ClassLoaderUtils;true;getURLClassLoader;(URL[],ClassLoader);;Argument[0];request-forgery;manual"
new ClassLoaderUtils().getURLClassLoader((URL[]) source(), null); // $ SSRF
new ClassLoaderUtils().getURLClassLoader((URL[]) source(), null); // $ Alert
// "org.apache.cxf.common.classloader;ClassLoaderUtils;true;getURLClassLoader;(List,ClassLoader);;Argument[0];request-forgery;manual"
new ClassLoaderUtils().getURLClassLoader((List<URL>) source(), null); // $ SSRF
new ClassLoaderUtils().getURLClassLoader((List<URL>) source(), null); // $ Alert
// "org.apache.cxf.resource;ExtendedURIResolver;true;resolve;(String,String);;Argument[0];request-forgery;manual"]
new ExtendedURIResolver().resolve((String) source(), null); // $ SSRF
new ExtendedURIResolver().resolve((String) source(), null); // $ Alert
// "org.apache.cxf.resource;URIResolver;true;URIResolver;(String);;Argument[0];request-forgery;manual"]
new URIResolver((String) source()); // $ SSRF
new URIResolver((String) source()); // $ Alert
// "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String);;Argument[1];request-forgery;manual"]
new URIResolver(null, (String) source()); // $ SSRF
new URIResolver(null, (String) source()); // $ Alert
// "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String,Class);;Argument[1];request-forgery;manual"]
new URIResolver(null, (String) source(), null); // $ SSRF
new URIResolver(null, (String) source(), null); // $ Alert
// "org.apache.cxf.resource;URIResolver;true;resolve;(String,String,Class);;Argument[1];request-forgery;manual"
new URIResolver().resolve(null, (String) source(), null); // $ SSRF
new URIResolver().resolve(null, (String) source(), null); // $ Alert
// @formatter:on
}
public void test(WebEngine webEngine) {
// "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated"
webEngine.load((String) source()); // $ SSRF
webEngine.load((String) source()); // $ Alert
}
public void test(ZipURLInstaller zui) {
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated"
new ZipURLInstaller((URL) source(), "", ""); // $ SSRF
new ZipURLInstaller((URL) source(), "", ""); // $ Alert
}
public void test(HttpResponses r) {
// "org.kohsuke.stapler;HttpResponses;true;staticResource;(URL);;Argument[0];open-url;ai-generated"
r.staticResource((URL) source()); // $ SSRF
r.staticResource((URL) source()); // $ Alert
}
public void test(WSClient c) {
// "play.libs.ws;WSClient;true;url;;;Argument[0];open-url;manual"
c.url((String) source()); // $ SSRF
c.url((String) source()); // $ Alert
}
public void test(StandaloneWSClient c) {
// "play.libs.ws;StandaloneWSClient;true;url;;;Argument[0];open-url;manual"
c.url((String) source()); // $ SSRF
c.url((String) source()); // $ Alert
}
}