hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Split and rename JavaNetHttp and ApacheHttp tests for consistency

Browse Source
This commit is contained in:
Chris Smowton
2021-06-09 18:17:12 +01:00
parent 6c4a909b86
commit cb99e17f4d
3 changed files with 109 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java Normal file
View File

@@ -0,0 +1,64 @@
import java.io.IOException;
import java.net.URI;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpTrace;
import org.apache.http.client.methods.HttpPatch;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.message.BasicHttpRequest;
import org.apache.http.message.BasicHttpEntityEnclosingRequest;
import org.apache.http.message.BasicRequestLine;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ApacheHttpSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String sink = request.getParameter("uri");
URI uri = new URI(sink);
HttpGet httpGet = new HttpGet(uri); // $ SSRF
HttpGet httpGet2 = new HttpGet();
httpGet2.setURI(uri); // $ SSRF
new HttpHead(uri); // $ SSRF
new HttpPost(uri); // $ SSRF
new HttpPut(uri); // $ SSRF
new HttpDelete(uri); // $ SSRF
new HttpOptions(uri); // $ SSRF
new HttpTrace(uri); // $ SSRF
new HttpPatch(uri); // $ SSRF
new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
new BasicHttpRequest("GET", uri.toString()); // $ SSRF
new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF
RequestBuilder.get(uri); // $ SSRF
RequestBuilder.post(uri); // $ SSRF
RequestBuilder.put(uri); // $ SSRF
RequestBuilder.delete(uri); // $ SSRF
RequestBuilder.options(uri); // $ SSRF
RequestBuilder.head(uri); // $ SSRF
RequestBuilder.trace(uri); // $ SSRF
RequestBuilder.patch(uri); // $ SSRF
RequestBuilder.get("").setUri(uri); // $ SSRF
} catch (Exception e) {
// TODO: handle exception
}
}
}

45
java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java Normal file
View File

@@ -0,0 +1,45 @@
import java.io.IOException;
import java.net.Proxy;
import java.net.SocketAddress;
import java.net.URI;
import java.net.URL;
import java.net.URLConnection;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.Proxy.Type;
import java.io.InputStream;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class JavaNetHttpSSRF extends HttpServlet {
private static final String VALID_URI = "http://lgtm.com";
private HttpClient client = HttpClient.newHttpClient();
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String sink = request.getParameter("uri");
URI uri = new URI(sink);
URI uri2 = new URI("http", sink, "fragement");
URL url1 = new URL(sink);
URLConnection c1 = url1.openConnection(); // $ SSRF
SocketAddress sa = new SocketAddress() {
};
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
InputStream c3 = url1.openStream(); // $ SSRF
// java.net.http
HttpClient client = HttpClient.newHttpClient();
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
} catch (Exception e) {
// TODO: handle exception
}
}
}

85
java/ql/test/query-tests/security/CWE-918/RequestForgery2.java
View File

@@ -1,85 +0,0 @@
import java.io.IOException;
import java.net.URI;
import java.net.*;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.Proxy.Type;
import java.io.InputStream;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpTrace;
import org.apache.http.client.methods.HttpPatch;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.message.BasicHttpRequest;
import org.apache.http.message.BasicHttpEntityEnclosingRequest;
import org.apache.http.message.BasicRequestLine;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class RequestForgery2 extends HttpServlet {
private static final String VALID_URI = "http://lgtm.com";
private HttpClient client = HttpClient.newHttpClient();
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String sink = request.getParameter("uri");
URI uri = new URI(sink);
URI uri2 = new URI("http", sink, "fragement");
URL url1 = new URL(sink);
URLConnection c1 = url1.openConnection(); // $ SSRF
SocketAddress sa = new SocketAddress() {
};
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
InputStream c3 = url1.openStream(); // $ SSRF
// java.net.http
HttpClient client = HttpClient.newHttpClient();
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
// Apache HTTPlib
HttpGet httpGet = new HttpGet(uri); // $ SSRF
HttpGet httpGet2 = new HttpGet();
httpGet2.setURI(uri2); // $ SSRF
new HttpHead(uri); // $ SSRF
new HttpPost(uri); // $ SSRF
new HttpPut(uri); // $ SSRF
new HttpDelete(uri); // $ SSRF
new HttpOptions(uri); // $ SSRF
new HttpTrace(uri); // $ SSRF
new HttpPatch(uri); // $ SSRF
new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
new BasicHttpRequest("GET", uri2.toString()); // $ SSRF
new BasicHttpRequest("GET", uri2.toString(), null); // $ SSRF
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri2.toString()); // $ SSRF
new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null); // $ SSRF
RequestBuilder.get(uri2); // $ SSRF
RequestBuilder.post(uri2); // $ SSRF
RequestBuilder.put(uri2); // $ SSRF
RequestBuilder.delete(uri2); // $ SSRF
RequestBuilder.options(uri2); // $ SSRF
RequestBuilder.head(uri2); // $ SSRF
RequestBuilder.trace(uri2); // $ SSRF
RequestBuilder.patch(uri2); // $ SSRF
RequestBuilder.get("").setUri(uri2); // $ SSRF
} catch (Exception e) {
// TODO: handle exception
}
}
}