Add missing tests, add additional models revealed missing in the process, and add stubs to support them all.

2026-04-30 03:05:15 +02:00 · 2021-06-09 15:28:37 +01:00
parent 49bbfc3f4b
commit ee872f1752
16 changed files with 1704 additions and 9 deletions
--- a/java/ql/test/query-tests/security/CWE-918/RequestForgery2.java
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery2.java
@@ -7,6 +7,17 @@ import java.net.Proxy.Type;
 import java.io.InputStream;

 import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpOptions;
+import org.apache.http.client.methods.HttpTrace;
+import org.apache.http.client.methods.HttpPatch;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.message.BasicHttpEntityEnclosingRequest;
+import org.apache.http.message.BasicRequestLine;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -67,6 +78,33 @@ public class RequestForgery2 extends HttpServlet {
            HttpGet httpGet = new HttpGet(uri);
            HttpGet httpGet2 = new HttpGet();
            httpGet2.setURI(uri2);
+
+            new HttpHead(uri);
+            new HttpPost(uri);
+            new HttpPut(uri);
+            new HttpDelete(uri);
+            new HttpOptions(uri);
+            new HttpTrace(uri);
+            new HttpPatch(uri);
+
+            new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null));
+            new BasicHttpRequest("GET", uri2.toString());
+            new BasicHttpRequest("GET", uri2.toString(), null);
+
+            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null));
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString());
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null);
+
+            RequestBuilder.get(uri2);
+            RequestBuilder.post(uri2);
+            RequestBuilder.put(uri2);
+            RequestBuilder.delete(uri2);
+            RequestBuilder.options(uri2);
+            RequestBuilder.head(uri2);
+            RequestBuilder.trace(uri2);
+            RequestBuilder.patch(uri2);
+            RequestBuilder.get("").setUri(uri2);
+
        } catch (Exception e) {
            // TODO: handle exception
        }
--- a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
@@ -1,3 +1,4 @@
+import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
@@ -41,14 +42,22 @@ public class SpringSSRF extends HttpServlet {
                    restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
        }
        {
-            ResponseEntity<String> response =
-                    restTemplate.getForEntity(fooResourceUrl, String.class, "test");
+            String response =
+                    restTemplate.getForObject(fooResourceUrl, String.class, "test");
        }
        {
            String body = new String("body");
+            URI uri = new URI(fooResourceUrl);
            RequestEntity<String> requestEntity =
-                    RequestEntity.post(new URI(fooResourceUrl)).body(body);
+                    RequestEntity.post(uri).body(body);
            ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
+            RequestEntity.get(uri);
+            RequestEntity.put(uri);
+            RequestEntity.delete(uri);
+            RequestEntity.options(uri);
+            RequestEntity.patch(uri);
+            RequestEntity.head(uri);
+            RequestEntity.method(null, uri);
        }
        {
            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
@@ -68,6 +77,23 @@ public class SpringSSRF extends HttpServlet {
        {
            restTemplate.put(fooResourceUrl, new String("object"));
        }
+        {
+            URI uri = new URI(fooResourceUrl);
+            MultiValueMap<String, String> headers = null;
+            java.lang.reflect.Type type = null;
+            new RequestEntity<String>(null, uri);
+            new RequestEntity<String>(headers, null, uri);
+            new RequestEntity<String>("body", null, uri);
+            new RequestEntity<String>("body", headers, null, uri);
+            new RequestEntity<String>("body", null, uri, type);
+            new RequestEntity<String>("body", headers, null, uri, type);
+        }
+        {
+            URI uri = new URI(fooResourceUrl);
+            restTemplate.delete(uri);
+            restTemplate.headForHeaders(uri);
+            restTemplate.optionsForAllow(uri);
+        }
        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
    }
 }