Java: convert RequestForgery test to .qlref

java/ql/test/query-tests/security/CWE-918/SanitizationTests.java

@@ -16,11 +16,11 @@ public class SanitizationTests extends HttpServlet {
             throws ServletException, IOException {
         try {
 
-            URI uri = new URI(request.getParameter("uri"));
+            URI uri = new URI(request.getParameter("uri")); // $ Source
             // BAD: a request parameter is incorporated without validation into a Http
             // request
-            HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
-            client.send(r, null); // $ SSRF
+            HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ Alert
+            client.send(r, null); // $ Alert
 
             // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
             // We test a few different ways of sanitisation: via string conctentation (perhaps nested),
@@ -72,55 +72,55 @@ public class SanitizationTests extends HttpServlet {
 
             // BAD: cases where a string that would sanitise is used, but occurs in the wrong
             // place to sanitise user input:
-            String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
-            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();  // $ SSRF
-            client.send(unsafer3, null); // $ SSRF
+            String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/"; // $ Source
+            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();  // $ Alert
+            client.send(unsafer3, null); // $ Alert
 
-            String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
-            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
-            client.send(unsafer4, null); // $ SSRF
+            String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/"; // $ Source
+            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ Alert
+            client.send(unsafer4, null); // $ Alert
 
             StringBuilder unsafeUri5 = new StringBuilder();
-            unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
-            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
-            client.send(unsafer5, null); // $ SSRF
+            unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/"); // $ Source
+            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ Alert
+            client.send(unsafer5, null); // $ Alert
 
-            StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
+            StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a")); // $ Source
             unafeUri5a.append("https://example.com/");
-            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
-            client.send(unsafer5a, null); // $ SSRF
+            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ Alert
+            client.send(unsafer5a, null); // $ Alert
 
-            StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
+            StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/"); // $ Source
             unsafeUri5b.append("https://example.com/");
-            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
-            client.send(unsafer5b, null); // $ SSRF
+            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ Alert
+            client.send(unsafer5b, null); // $ Alert
 
-            StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
+            StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c")); // $ Source
             unsafeUri5c.append("://example.com/dir/");
-            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
-            client.send(unsafer5c, null); // $ SSRF
+            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ Alert
+            client.send(unsafer5c, null); // $ Alert
 
-            String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
-            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
-            client.send(unsafer6, null); // $ SSRF
+            String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6")); // $ Source
+            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ Alert
+            client.send(unsafer6, null); // $ Alert
 
-            String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
-            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
-            client.send(unsafer7, null); // $ SSRF
+            String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com"); // $ Source
+            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ Alert
+            client.send(unsafer7, null); // $ Alert
 
-            String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
-            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
-            client.send(unsafer8, null); // $ SSRF
+            String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/"); // $ Source
+            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ Alert
+            client.send(unsafer8, null); // $ Alert
 
-            String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
-            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
-            client.send(unsafer9, null); // $ SSRF
+            String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com"); // $ Source
+            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ Alert
+            client.send(unsafer9, null); // $ Alert
 
-            String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10"));
-            HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ SSRF
-            client.send(unsafer10, null); // $ SSRF
+            String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); // $ Source
+            HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ Alert
+            client.send(unsafer10, null); // $ Alert
         } catch (Exception e) {
             // TODO: handle exception
         }
     }
-}
+}