From b9ce1aefc09f72f53a3ecc1940fe396a679433be Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 30 Mar 2021 09:31:38 +0200
Subject: [PATCH] Java: Convert unsafe URL opening sinks to CSV format

---
 java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql   | 17 ++---------------
 .../semmle/code/java/dataflow/ExternalFlow.qll  |  9 ++++++++-
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index 306bf27ab9c..d1bce930054 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class HTTPString extends StringLiteral {
   HTTPString() {
@@ -30,26 +31,12 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLOpenMethod extends Method {
-  URLOpenMethod() {
-    this.getDeclaringType().getQualifiedName() = "java.net.URL" and
-    (
-      this.getName() = "openConnection" or
-      this.getName() = "openStream"
-    )
-  }
-}
-
 class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   HTTPStringToURLOpenMethodFlowConfig() { this = "HttpsUrls::HTTPStringToURLOpenMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess m |
-      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenMethod
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "open-url") }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructorCall u |
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 4bb79e84ead..ece2c7cff74 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -184,7 +184,14 @@ private predicate sourceModelCsv(string row) {
     ]
 }
 
-private predicate sinkModelCsv(string row) { none() }
+private predicate sinkModelCsv(string row) {
+  row =
+    [
+      // Open URL
+      "java.net;URL;false;openConnection;;;Argument[-1];open-url",
+      "java.net;URL;false;openStream;;;Argument[-1];open-url"
+    ]
+}
 
 private predicate summaryModelCsv(string row) {
   row =