Add spring url redirection detect

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected

@@ -0,0 +1,19 @@
+edges
+| SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl |
+| SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl |
+| SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl |
+| SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl |
+nodes
+| SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:15:19:15:29 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:21:36:21:46 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:27:44:27:54 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:33:47:33:57 | redirectUrl | semmle.label | redirectUrl |
+#select
+| SpringUrlRedirect.java:15:19:15:29 | redirectUrl | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:13:30:13:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:21:36:21:46 | redirectUrl | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:20:24:20:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:27:44:27:54 | redirectUrl | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:26:30:26:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:33:47:33:57 | redirectUrl | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:32:30:32:47 | redirectUrl | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java

@@ -0,0 +1,52 @@
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+public class SpringUrlRedirect {
+
+    private final static String VALID_REDIRECT = "http://127.0.0.1";
+
+    @GetMapping("url1")
+    public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception {
+        RedirectView rv = new RedirectView();
+        rv.setUrl(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url2")
+    public String bad2(String redirectUrl) {
+        String url = "redirect:" + redirectUrl;
+        return url;
+    }
+
+    @GetMapping("url3")
+    public RedirectView bad3(String redirectUrl) {
+        RedirectView rv = new RedirectView(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url4")
+    public ModelAndView bad4(String redirectUrl) {
+        return new ModelAndView("redirect:" + redirectUrl);
+    }
+
+    @GetMapping("url5")
+    public RedirectView good1(String redirectUrl) {
+        RedirectView rv = new RedirectView();
+        if (redirectUrl.startsWith(VALID_REDIRECT)){
+            rv.setUrl(redirectUrl);
+        }else {
+            rv.setUrl(VALID_REDIRECT);
+        }
+        return rv;
+    }
+
+    @GetMapping("url6")
+    public ModelAndView good2(String token) {
+        String url = "/edit?token=" + token;
+        return new ModelAndView("redirect:" + url);
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql

java/ql/test/experimental/query-tests/security/CWE-601/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/