Java: Update request forgery expected output.

2025-12-17 01:03:14 +01:00 · 2024-10-01 15:55:08 +02:00
parent 3b6f39931b
commit cbd9cc6dae
1 changed files with 12 additions and 12 deletions
--- a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
+++ b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
@@ -20,7 +20,7 @@ public class SanitizationTests extends HttpServlet {
            // BAD: a request parameter is incorporated without validation into a Http
            // request
            HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
-            client.send(r, null);
+            client.send(r, null); // $ SSRF

            // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
            // We test a few different ways of sanitisation: via string conctentation (perhaps nested),
@@ -74,51 +74,51 @@ public class SanitizationTests extends HttpServlet {
            // place to sanitise user input:
            String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();  // $ SSRF
-            client.send(unsafer3, null);
+            client.send(unsafer3, null); // $ SSRF

            String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
-            client.send(unsafer4, null);
+            client.send(unsafer4, null); // $ SSRF

            StringBuilder unsafeUri5 = new StringBuilder();
            unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
-            client.send(unsafer5, null);
+            client.send(unsafer5, null); // $ SSRF

            StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
            unafeUri5a.append("https://example.com/");
            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
-            client.send(unsafer5a, null);
+            client.send(unsafer5a, null); // $ SSRF

            StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
            unsafeUri5b.append("https://example.com/");
            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
-            client.send(unsafer5b, null);
+            client.send(unsafer5b, null); // $ SSRF

            StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
            unsafeUri5c.append("://example.com/dir/");
            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
-            client.send(unsafer5c, null);
+            client.send(unsafer5c, null); // $ SSRF

            String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
-            client.send(unsafer6, null);
+            client.send(unsafer6, null); // $ SSRF

            String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
-            client.send(unsafer7, null);
+            client.send(unsafer7, null); // $ SSRF

            String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
-            client.send(unsafer8, null);
+            client.send(unsafer8, null); // $ SSRF

            String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
-            client.send(unsafer9, null);
+            client.send(unsafer9, null); // $ SSRF

            String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10"));
            HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ SSRF
-            client.send(unsafer10, null);
+            client.send(unsafer10, null); // $ SSRF
        } catch (Exception e) {
            // TODO: handle exception
        }