Merge pull request #3454 from porcupineyhairs/javaSSRf

Java : add request forgery query

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -11,6 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
 
 class HTTPString extends StringLiteral {
@@ -29,18 +30,6 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLConstructor extends ClassInstanceExpr {
-  URLConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
-
-  Expr protocolArg() {
-    // In all cases except where the first parameter is a URL, the argument
-    // containing the protocol is the first one, otherwise it is the second.
-    if this.getConstructor().getParameter(0).getType().getName() = "URL"
-    then result = this.getArgument(1)
-    else result = this.getArgument(0)
-  }
-}
-
 class URLOpenMethod extends Method {
   URLOpenMethod() {
     this.getDeclaringType().getQualifiedName() = "java.net.URL" and
@@ -63,7 +52,7 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(URLConstructor u |
+    exists(UrlConstructorCall u |
       node1.asExpr() = u.protocolArg() and
       node2.asExpr() = u
     )

java/ql/src/experimental/CWE-918/RequestForgery.java

@@ -0,0 +1,20 @@
+import java.net.http.HttpClient;
+
+public class SSRF extends HttpServlet {
+	private static final String VALID_URI = "http://lgtm.com";
+	private HttpClient client = HttpClient.newHttpClient();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+		throws ServletException, IOException {
+		URI uri = new URI(request.getParameter("uri"));
+		// BAD: a request parameter is incorporated without validation into a Http request
+		HttpRequest r = HttpRequest.newBuilder(uri).build();
+		client.send(r, null);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_URI.equals(request.getParameter("uri"))) {
+			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+			client.send(r2, null);
+		}
+	}
+}

java/ql/src/experimental/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into a HTTP request without validating the input
+can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server. 
+</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against SSRF attacks, it is advisable to avoid putting user input
+directly into the request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the user input provided.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="RequestForgery.java" />
+
+</example>
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+
+</references>
+</qhelp>

java/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Server Side Request Forgery (SSRF)
+ * @description Making web requests based on unvalidated user-input
+ *              may cause server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import RequestForgery
+import DataFlow::PathGraph
+
+class RequestForgeryConfiguration extends TaintTracking::Configuration {
+  RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    requestForgeryStep(pred, succ)
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server side request forgery due to $@.",
+  source.getNode(), "a user-provided value"

java/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -0,0 +1,193 @@
+import java
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
+import semmle.code.java.frameworks.spring.Spring
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+
+predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // propagate to a URI when its host is assigned to
+  exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a URL when its host is assigned to
+  exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a RequestEntity when its url is assigned to
+  exists(MethodAccess m |
+    m.getMethod().getDeclaringType() instanceof SpringRequestEntity and
+    (
+      m.getMethod().hasName(["get", "post", "head", "delete", "options", "patch", "put"]) and
+      m.getArgument(0) = pred.asExpr() and
+      m = succ.asExpr()
+      or
+      m.getMethod().hasName("method") and
+      m.getArgument(1) = pred.asExpr() and
+      m = succ.asExpr()
+    )
+  )
+  or
+  // propagate from a `RequestEntity<>$BodyBuilder` to a `RequestEntity`
+  // when the builder is tainted
+  exists(MethodAccess m, RefType t |
+    m.getMethod().getDeclaringType() = t and
+    t.hasQualifiedName("org.springframework.http", "RequestEntity<>$BodyBuilder") and
+    m.getMethod().hasName("body") and
+    m.getQualifier() = pred.asExpr() and
+    m = succ.asExpr()
+  )
+}
+
+/** A data flow sink for request forgery vulnerabilities. */
+abstract class RequestForgerySink extends DataFlow::Node { }
+
+/**
+ * An argument to an url `openConnection` or `openStream` call
+ *  taken as a sink for request forgery vulnerabilities.
+ */
+private class UrlOpen extends RequestForgerySink {
+  UrlOpen() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof UrlOpenConnectionMethod or
+      ma.getMethod() instanceof UrlOpenStreamMethod
+    |
+      this.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/**
+ * An argument to an Apache `setURI` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheSetUri extends RequestForgerySink {
+  ApacheSetUri() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof ApacheHttpRequest and
+      ma.getMethod().hasName("setURI")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Apache Request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestInstantiation extends RequestForgerySink {
+  ApacheHttpRequestInstantiation() {
+    exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
+      this.asExpr() = c.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Apache RequestBuilder method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestBuilderArgument extends RequestForgerySink {
+  ApacheHttpRequestBuilderArgument() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
+      ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Java.net.http.request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpRequestNewBuilder extends RequestForgerySink {
+  HttpRequestNewBuilder() {
+    exists(MethodAccess call |
+      call.getCallee().hasName("newBuilder") and
+      call.getMethod().getDeclaringType().getName() = "HttpRequest"
+    |
+      this.asExpr() = call.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to an Http Builder `uri` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpBuilderUriArgument extends RequestForgerySink {
+  HttpBuilderUriArgument() {
+    exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Spring Rest Template method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class SpringRestTemplateArgument extends RequestForgerySink {
+  SpringRestTemplateArgument() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
+    )
+  }
+}
+
+/**
+ * An argument to `javax.ws.rs.Client`s `target` method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class JaxRsClientTarget extends RequestForgerySink {
+  JaxRsClientTarget() {
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof JaxRsClient and
+      ma.getMethod().hasName("target")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to `org.springframework.http.RequestEntity`s constructor call
+ *   which is an URI taken as a sink for request forgery vulnerabilities.
+ */
+private class RequestEntityUriArg extends RequestForgerySink {
+  RequestEntityUriArg() {
+    exists(ClassInstanceExpr e, Argument a |
+      e.getConstructedType() instanceof SpringRequestEntity and
+      e.getAnArgument() = a and
+      a.getType() instanceof TypeUri and
+      this.asExpr() = a
+    )
+  }
+}
+
+/**
+ * A class representing all Spring Rest Template methods
+ * which take an URL as an argument.
+ */
+private class SpringRestTemplateUrlMethods extends Method {
+  SpringRestTemplateUrlMethods() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this
+        .hasName([
+            "doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
+            "execute", "getForEntity", "getForObject", "patchForObject"
+          ])
+  }
+
+  /**
+   * Gets the argument which corresponds to a URL argument
+   * passed as a `java.net.URL` object or as a string or the like
+   */
+  Argument getUrlArgument(MethodAccess ma) {
+    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    //  ResponseExtractor<T> responseExtractor)
+    result = ma.getArgument(0)
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -10,6 +10,7 @@
 
 import java
 import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
@@ -21,19 +22,6 @@ private string getPrivateHostRegex() {
     "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
 }
 
-/**
- * The Java class `org.apache.http.client.methods.HttpRequestBase`. Popular subclasses include `HttpGet`, `HttpPost`, and `HttpPut`.
- * And the Java class `org.apache.http.message.BasicHttpRequest`.
- */
-class ApacheHttpRequest extends RefType {
-  ApacheHttpRequest() {
-    this
-        .getASourceSupertype*()
-        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
-    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
-  }
-}
-
 /**
  * Class of Java URL constructor.
  */

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates related to `org.apache.http.*`.
+ */
+
 import java
 
 class ApacheHttpGetParams extends Method {
@@ -13,3 +17,26 @@ class ApacheHttpEntityGetContent extends Method {
     this.getName() = "getContent"
   }
 }
+
+/**
+ * An HTTP request as represented by the Apache HTTP Client library. This is
+ * either `org.apache.http.client.methods.HttpRequestBase`,
+ * `org.apache.http.message.BasicHttpRequest`, or one of their subclasses.
+ */
+class ApacheHttpRequest extends RefType {
+  ApacheHttpRequest() {
+    this
+        .getASourceSupertype*()
+        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
+    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
+  }
+}
+
+/**
+ * The `org.apache.http.client.methods.RequestBuilder` class.
+ */
+class TypeApacheHttpRequestBuilder extends Class {
+  TypeApacheHttpRequestBuilder() {
+    this.hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
+  }
+}

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

@@ -170,6 +170,13 @@ class JaxRsResponseBuilder extends Class {
   JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
 }
 
+/**
+ * The class `javax.ws.rs.client.Client`.
+ */
+class JaxRsClient extends RefType {
+  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+}
+
 /**
  * A constructor that may be called by a JaxRS container to construct an instance to inject into a
  * resource method or resource class constructor.

java/ql/src/semmle/code/java/frameworks/Networking.qll

@@ -41,3 +41,91 @@ class SocketGetInputStreamMethod extends Method {
     hasNoParameters()
   }
 }
+
+/** A method or constructor call that returns a new `URI`. */
+class UriCreation extends Call {
+  UriCreation() {
+    this.getCallee().getDeclaringType() instanceof TypeUri and
+    (this instanceof ClassInstanceExpr or this.getCallee().hasName("create"))
+  }
+
+  /**
+   * Gets the host argument of the newly created URI. In the case where the
+   * host is specified separately, this is only the host. In the case where the
+   * uri is parsed from an input string, such as in
+   * `URI("http://foo.com/mypath")`, this is the entire argument passed in,
+   * that is `"http://foo.com/mypath"`.
+   */
+  Expr getHostArg() { none() }
+}
+
+/** A `java.net.URI` constructor call. */
+class UriConstructorCall extends ClassInstanceExpr, UriCreation {
+  override Expr getHostArg() {
+    // URI(String str)
+    result = this.getArgument(0) and this.getNumArgument() = 1
+    or
+    // URI(String scheme, String ssp, String fragment)
+    // URI(String scheme, String host, String path, String fragment)
+    // URI(String scheme, String authority, String path, String query, String fragment)
+    result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
+    or
+    // URI(String scheme, String userInfo, String host, int port, String path, String query,
+    //    String fragment)
+    result = this.getArgument(2) and this.getNumArgument() = 7
+  }
+}
+
+/** A call to `java.net.URI::create`. */
+class UriCreate extends UriCreation {
+  UriCreate() { this.getCallee().hasName("create") }
+
+  override Expr getHostArg() { result = this.getArgument(0) }
+}
+
+/** A `java.net.URL` constructor call. */
+class UrlConstructorCall extends ClassInstanceExpr {
+  UrlConstructorCall() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
+
+  /** Gets the host argument of the newly created URL. */
+  Expr getHostArg() {
+    // URL(String spec)
+    this.getNumArgument() = 1 and result = this.getArgument(0)
+    or
+    // URL(String protocol, String host, int port, String file)
+    // URL(String protocol, String host, int port, String file, URLStreamHandler handler)
+    this.getNumArgument() = [4, 5] and result = this.getArgument(1)
+    or
+    // URL(String protocol, String host, String file)
+    // but not
+    // URL(URL context, String spec, URLStreamHandler handler)
+    this.getNumArgument() = 3 and
+    this.getConstructor().getParameterType(2) instanceof TypeString and
+    result = this.getArgument(1)
+  }
+
+  /** Gets the argument that corresponds to the protocol of the URL. */
+  Expr protocolArg() {
+    // In all cases except where the first parameter is a URL, the argument
+    // containing the protocol is the first one, otherwise it is the second.
+    if this.getConstructor().getParameterType(0) instanceof TypeUrl
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+}
+
+/** The method `java.net.URL::openStream`. */
+class UrlOpenStreamMethod extends Method {
+  UrlOpenStreamMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openStream"
+  }
+}
+
+/** The method `java.net.URL::openConnection`. */
+class UrlOpenConnectionMethod extends Method {
+  UrlOpenConnectionMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openConnection"
+  }
+}

java/ql/src/semmle/code/java/frameworks/javase/Http.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides classes and predicates related to `java.net.http.*`.
+ */
+
+import java
+
+/** The interface representing `HttpRequest.Builder`. */
+class TypeHttpRequestBuilder extends Interface {
+  TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
+}
+
+/** The interface representing `java.net.http.HttpRequest`. */
+class TypeHttpRequest extends Interface {
+  TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
+}
+
+/** The `uri` method on `java.net.http.HttpRequest.Builder`. */
+class HttpBuilderUri extends Method {
+  HttpBuilderUri() {
+    this.getDeclaringType() instanceof TypeHttpRequestBuilder and
+    this.getName() = "uri"
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java

@@ -0,0 +1,25 @@
+import javax.ws.rs.client.*;
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JaxWsSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        Client client = ClientBuilder.newClient();
+        String url = request.getParameter("url");
+        client.target(url);
+    }
+
+}

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected

@@ -0,0 +1,64 @@
+edges
+| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl |
+nodes
+| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
+| RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
+| RequestForgery2.java:59:30:59:33 | url1 | semmle.label | url1 |
+| RequestForgery2.java:63:65:63:68 | uri2 | semmle.label | uri2 |
+| RequestForgery2.java:64:59:64:61 | uri | semmle.label | uri |
+| RequestForgery2.java:67:43:67:45 | uri | semmle.label | uri |
+| RequestForgery2.java:69:29:69:32 | uri2 | semmle.label | uri2 |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
+| RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... |
+| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:41:42:41:55 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) |
+| SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl |
+| SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl |
+#select
+| JaxWsSSRF.java:22:23:22:25 | url | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:21:22:21:48 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:63:65:63:68 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:64:59:64:61 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:67:43:67:45 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
+| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
+| RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:45:47:45:60 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:54:59:54:72 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:58:74:58:96 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:62:57:62:70 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:66:48:66:61 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
+| SpringSSRF.java:69:30:69:43 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.java

@@ -0,0 +1,34 @@
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class RequestForgery extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            URI uri = new URI(request.getParameter("uri"));
+            // BAD: a request parameter is incorporated without validation into a Http
+            // request
+            HttpRequest r = HttpRequest.newBuilder(uri).build();
+            client.send(r, null);
+
+            // GOOD: the request parameter is validated against a known fixed string
+            if (VALID_URI.equals(request.getParameter("uri"))) {
+                HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+                client.send(r2, null);
+            }
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref

@@ -0,0 +1 @@
+experimental/CWE-918/RequestForgery.ql

java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery2.java

@@ -0,0 +1,84 @@
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class RequestForgery2 extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            // URI(String str)
+            URI uri = new URI(sink);
+
+            // URI(String scheme, String ssp, String fragment)
+            URI uri2 = new URI("http", sink, "fragement");
+
+            // URI(String scheme, String userInfo, String host, int port, String path,
+            // String query, String fragment)
+            URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
+            // URI(String scheme, String host, String path, String fragment)
+            URI uri4 = new URI("http", "host", "path", "fragment");
+            // URI(String scheme, String authority, String path, String query, String
+            // fragment)
+            URI uri5 = new URI("http", "authority", "path", "query", "fragment");
+            URI uri6 = URI.create("http://foo.com/");
+
+            // URL(String spec)
+            URL url1 = new URL(sink);
+            // URL(String protocol, String host, int port, String file)
+            URL url2 = new URL("http", "host", 1, "file");
+            // URL(String protocol, String host, String file)
+            URL url3 = new URL("http", "host", "file");
+            // URL(URL context, String spec)
+            URL url4 = new URL(url3, "http");
+            // URL(String protocol, String host, int port, String file, URLStreamHandler
+            // handler)
+            URL url5 = new URL("http", "host", 1, "file", new Helper2());
+
+            // URL(URL context, String spec, URLStreamHandler handler)
+            URL url6 = new URL(url3, "spec", new Helper2());
+
+            URLConnection c1 = url1.openConnection();
+            SocketAddress sa = new SocketAddress() {
+            };
+            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
+            InputStream c3 = url1.openStream();
+
+            // java.net.http
+            HttpClient client = HttpClient.newHttpClient();
+            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
+            HttpRequest request3 = HttpRequest.newBuilder(uri).build();
+
+            // Apache HTTPlib
+            HttpGet httpGet = new HttpGet(uri);
+            HttpGet httpGet2 = new HttpGet();
+            httpGet2.setURI(uri2);
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}
+
+
+class Helper2 extends URLStreamHandler {
+    Helper2() {
+    }
+
+    protected URLConnection openConnection(URL u) throws IOException {
+        return null;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/Sinks.java

@@ -0,0 +1,72 @@
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Proxy;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.net.Proxy.Type;
+import org.apache.http.client.methods.HttpGet;
+// import java.net.http.HttpClient;
+// import java.net.http.HttpRequest;
+
+public class Sinks {
+    public static void main(String[] args) throws Exception {
+        // URI(String str)
+        URI uri = new URI("uri1");
+
+        // URI(String scheme, String ssp, String fragment)
+        URI uri2 = new URI("http", "ssp", "fragement");
+
+        // URI(String scheme, String userInfo, String host, int port, String path,
+        // String query, String fragment)
+        URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
+        // URI(String scheme, String host, String path, String fragment)
+        URI uri4 = new URI("http", "host", "path", "fragment");
+        // URI(String scheme, String authority, String path, String query, String
+        // fragment)
+        URI uri5 = new URI("http", "authority", "path", "query", "fragment");
+        URI uri6 = URI.create("http://foo.com/");
+
+        // URL(String spec)
+        URL url1 = new URL("spec");
+        // URL(String protocol, String host, int port, String file)
+        URL url2 = new URL("http", "host", 1, "file");
+        // URL(String protocol, String host, String file)
+        URL url3 = new URL("http", "host", "file");
+        // URL(URL context, String spec)
+        URL url4 = new URL(url3, "http");
+        // URL(String protocol, String host, int port, String file, URLStreamHandler
+        // handler)
+        URL url5 = new URL("http", "host", 1, "file", new Helper());
+
+        // URL(URL context, String spec, URLStreamHandler handler)
+        URL url6 = new URL(url3, "spec", new Helper());
+
+        URLConnection c1 = url1.openConnection();
+        SocketAddress sa = new SocketAddress() {
+        };
+        URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
+        InputStream c3 = url1.openStream();
+
+        // java.net.http
+        // HttpClient client = HttpClient.newHttpClient();
+        // HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
+        // HttpRequest request3 = HttpRequest.newBuilder(uri).build();
+
+        // Apache HTTPlib
+        HttpGet httpGet = new HttpGet(uri);
+        HttpGet httpGet2 = new HttpGet();
+        httpGet2.setURI(uri2);
+
+    }
+
+}
+
+class Helper extends URLStreamHandler {
+    @Override
+    protected URLConnection openConnection(URL arg0) throws IOException {
+        return null;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java

@@ -0,0 +1,72 @@
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpStatus;
+import java.net.URI;
+import org.springframework.http.HttpMethod;
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class SpringSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
+            throws ServletException, IOException {
+        String fooResourceUrl = request2.getParameter("uri");;
+        RestTemplate restTemplate = new RestTemplate();
+        HttpEntity<String> request = new HttpEntity<>(new String("bar"));
+
+        {
+            ResponseEntity<String> response =
+                    restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
+        }
+
+        {
+            ResponseEntity<String> response =
+                    restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class);
+        }
+        {
+            ResponseEntity<String> response =
+                    restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
+        }
+        {
+            ResponseEntity<String> response =
+                    restTemplate.getForEntity(fooResourceUrl, String.class, "test");
+        }
+        {
+            String body = new String("body");
+            RequestEntity<String> requestEntity =
+                    RequestEntity.post(new URI(fooResourceUrl)).body(body);
+            ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
+        }
+        {
+            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
+                    String.class, "hi");
+        }
+        {
+            ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl),
+                    new String("object"), String.class);
+        }
+        {
+            URI response = restTemplate.postForLocation(fooResourceUrl, new String("object"));
+        }
+        {
+            String response =
+                    restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
+        }
+        {
+            restTemplate.put(fooResourceUrl, new String("object"));
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-918/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4/

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java

@@ -0,0 +1,12 @@
+package javax.ws.rs.client;
+
+public abstract interface Client extends javax.ws.rs.core.Configurable {
+
+    public abstract javax.ws.rs.client.WebTarget target(java.lang.String arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(java.net.URI arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.UriBuilder arg0);
+
+    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.Link arg0);
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java

@@ -0,0 +1,19 @@
+package javax.ws.rs.client;
+
+public abstract class ClientBuilder implements javax.ws.rs.core.Configurable {
+
+    protected ClientBuilder() {
+    }
+
+    public static javax.ws.rs.client.ClientBuilder newBuilder() {
+        return null;
+    }
+
+    public static javax.ws.rs.client.Client newClient() {
+        return null;
+    }
+
+    public static javax.ws.rs.client.Client newClient(javax.ws.rs.core.Configuration configuration) {
+        return null;
+    }
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java

@@ -0,0 +1,4 @@
+package javax.ws.rs.client;
+
+public abstract interface WebTarget extends javax.ws.rs.core.Configurable {
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java

@@ -0,0 +1,6 @@
+package javax.ws.rs.core;
+
+public abstract interface Configurable<C extends javax.ws.rs.core.Configurable> {
+
+    public abstract javax.ws.rs.core.Configuration getConfiguration();
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java

@@ -0,0 +1,3 @@
+package javax.ws.rs.core;
+
+public abstract interface Configuration {}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java

@@ -0,0 +1,61 @@
+package javax.ws.rs.core;
+
+public abstract class Link {
+
+    public static final java.lang.String TITLE = "title";
+
+    public static final java.lang.String REL = "rel";
+
+    public static final java.lang.String TYPE = "type";
+
+    public Link() {
+    }
+
+    public abstract java.net.URI getUri();
+
+    public abstract javax.ws.rs.core.UriBuilder getUriBuilder();
+
+    public abstract java.lang.String getRel();
+
+    public abstract java.util.List<java.lang.String> getRels();
+
+    public abstract java.lang.String getTitle();
+
+    public abstract java.lang.String getType();
+
+    public abstract java.util.Map<java.lang.String, java.lang.String> getParams();
+
+    public abstract java.lang.String toString();
+
+    public static javax.ws.rs.core.Link valueOf(java.lang.String value) {
+        return null;
+    }
+
+    // public static javax.ws.rs.core.Link.Builder fromUri(java.net.URI uri) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromUri(java.lang.String uri) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromUriBuilder(javax.ws.rs.core.UriBuilder uriBuilder) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromLink(javax.ws.rs.core.Link link) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromPath(java.lang.String path) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromResource(java.lang.Class<?> resource) {
+    //     return null;
+    // }
+
+    // public static javax.ws.rs.core.Link.Builder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
+    //     return null;
+    // }
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java

@@ -0,0 +1,62 @@
+// Failed to get sources. Instead, stub sources have been generated by the disassembler.
+// Implementation of methods is unavailable.
+package javax.ws.rs.core;
+
+public abstract class UriBuilder {
+
+    protected UriBuilder() {
+    }
+
+    protected static javax.ws.rs.core.UriBuilder newInstance() {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromUri(java.net.URI uri) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromUri(java.lang.String uriTemplate) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromLink(javax.ws.rs.core.Link link) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromPath(java.lang.String path)
+            throws java.lang.IllegalArgumentException {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromResource(java.lang.Class<?> resource) {
+        return null;
+    }
+
+    public static javax.ws.rs.core.UriBuilder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
+        return null;
+    }
+
+    public abstract javax.ws.rs.core.UriBuilder clone();
+
+    public abstract javax.ws.rs.core.UriBuilder uri(java.net.URI arg0);
+
+    public abstract javax.ws.rs.core.UriBuilder uri(java.lang.String arg0);
+
+    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0);
+
+    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0, boolean arg1)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI buildFromEncodedMap(java.util.Map<java.lang.String, ?> arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI build(java.lang.Object... arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI build(java.lang.Object[] arg0, boolean arg1)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+    public abstract java.net.URI buildFromEncoded(java.lang.Object... arg0)
+            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
+
+}

java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java

@@ -0,0 +1,18 @@
+package javax.ws.rs.core;
+
+public class UriBuilderException extends java.lang.RuntimeException {
+
+    private static final long serialVersionUID = 956255913370721193L;
+
+    public UriBuilderException() {
+    }
+
+    public UriBuilderException(java.lang.String msg) {
+    }
+
+    public UriBuilderException(java.lang.String msg, java.lang.Throwable cause) {
+    }
+
+    public UriBuilderException(java.lang.Throwable cause) {
+    }
+}

java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletInputStream.java

@@ -30,5 +30,6 @@ public abstract class ServletInputStream extends InputStream {
     protected ServletInputStream() {
     }
     public int readLine(byte[] b, int off, int len) throws IOException {
+        return 0;
     }
 }

java/ql/test/stubs/springframework-5.2.3/org/springframework/core/ParameterizedTypeReference.java

@@ -0,0 +1,27 @@
+package org.springframework.core;
+
+public abstract class ParameterizedTypeReference<T> {
+    public java.lang.reflect.Type getType() {
+        return null;
+    }
+
+    public boolean equals(java.lang.Object other) {
+        return false;
+    }
+
+    public int hashCode() {
+        return 0;
+    }
+
+    public java.lang.String toString() {
+        return null;
+    }
+
+    public static <T> org.springframework.core.ParameterizedTypeReference<T> forType(java.lang.reflect.Type type) {
+        return null;
+    }
+
+    private static java.lang.Class<?> findParameterizedTypeReferenceSubclass(java.lang.Class<?> child) {
+        return null;
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpEntity.java

@@ -0,0 +1,40 @@
+package org.springframework.http;
+
+public class HttpEntity<T> {
+
+    protected HttpEntity() {
+    }
+
+    public HttpEntity(T body) {
+    }
+
+    public HttpEntity(org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers) {
+    }
+
+    public HttpEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers) {
+    }
+
+    public org.springframework.http.HttpHeaders getHeaders() {
+        return null;
+    }
+
+    public T getBody() {
+        return null;
+    }
+
+    public boolean hasBody() {
+        return false;
+    }
+
+    public boolean equals(java.lang.Object other) {
+        return false;
+    }
+
+    public int hashCode() {
+        return 0;
+    }
+
+    public java.lang.String toString() {
+        return null;
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpHeaders.java

@@ -0,0 +1,4 @@
+package org.springframework.http;
+
+public class HttpHeaders implements java.io.Serializable {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpMethod.java

@@ -0,0 +1,20 @@
+package org.springframework.http;
+
+public enum HttpMethod {
+
+    GET,
+
+    HEAD,
+
+    POST,
+
+    PUT,
+
+    PATCH,
+
+    DELETE,
+
+    OPTIONS,
+
+    TRACE,
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/HttpStatus.java

@@ -0,0 +1,147 @@
+package org.springframework.http;
+
+public enum HttpStatus {
+
+    CONTINUE,
+
+    SWITCHING_PROTOCOLS,
+
+    PROCESSING,
+
+    CHECKPOINT,
+
+    OK,
+
+    CREATED,
+
+    ACCEPTED,
+
+    NON_AUTHORITATIVE_INFORMATION,
+
+    NO_CONTENT,
+
+    RESET_CONTENT,
+
+    PARTIAL_CONTENT,
+
+    MULTI_STATUS,
+
+    ALREADY_REPORTED,
+
+    IM_USED,
+
+    MULTIPLE_CHOICES,
+
+    MOVED_PERMANENTLY,
+
+    FOUND,
+
+    @java.lang.Deprecated
+    MOVED_TEMPORARILY,
+
+    SEE_OTHER,
+
+    NOT_MODIFIED,
+
+    @java.lang.Deprecated
+    USE_PROXY,
+
+    TEMPORARY_REDIRECT,
+
+    PERMANENT_REDIRECT,
+
+    BAD_REQUEST,
+
+    UNAUTHORIZED,
+
+    PAYMENT_REQUIRED,
+
+    FORBIDDEN,
+
+    NOT_FOUND,
+
+    METHOD_NOT_ALLOWED,
+
+    NOT_ACCEPTABLE,
+
+    PROXY_AUTHENTICATION_REQUIRED,
+
+    REQUEST_TIMEOUT,
+
+    CONFLICT,
+
+    GONE,
+
+    LENGTH_REQUIRED,
+
+    PRECONDITION_FAILED,
+
+    PAYLOAD_TOO_LARGE,
+
+    @java.lang.Deprecated
+    REQUEST_ENTITY_TOO_LARGE,
+
+    URI_TOO_LONG,
+
+    @java.lang.Deprecated
+    REQUEST_URI_TOO_LONG,
+
+    UNSUPPORTED_MEDIA_TYPE,
+
+    REQUESTED_RANGE_NOT_SATISFIABLE,
+
+    EXPECTATION_FAILED,
+
+    I_AM_A_TEAPOT,
+
+    @java.lang.Deprecated
+    INSUFFICIENT_SPACE_ON_RESOURCE,
+
+    @java.lang.Deprecated
+    METHOD_FAILURE,
+
+    @java.lang.Deprecated
+    DESTINATION_LOCKED,
+
+    UNPROCESSABLE_ENTITY,
+
+    LOCKED,
+
+    FAILED_DEPENDENCY,
+
+    TOO_EARLY,
+
+    UPGRADE_REQUIRED,
+
+    PRECONDITION_REQUIRED,
+
+    TOO_MANY_REQUESTS,
+
+    REQUEST_HEADER_FIELDS_TOO_LARGE,
+
+    UNAVAILABLE_FOR_LEGAL_REASONS,
+
+    INTERNAL_SERVER_ERROR,
+
+    NOT_IMPLEMENTED,
+
+    BAD_GATEWAY,
+
+    SERVICE_UNAVAILABLE,
+
+    GATEWAY_TIMEOUT,
+
+    HTTP_VERSION_NOT_SUPPORTED,
+
+    VARIANT_ALSO_NEGOTIATES,
+
+    INSUFFICIENT_STORAGE,
+
+    LOOP_DETECTED,
+
+    BANDWIDTH_LIMIT_EXCEEDED,
+
+    NOT_EXTENDED,
+
+    NETWORK_AUTHENTICATION_REQUIRED,
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/RequestEntity.java

@@ -0,0 +1,70 @@
+package org.springframework.http;
+
+public class RequestEntity<T> extends org.springframework.http.HttpEntity {
+
+    public RequestEntity(org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.http.HttpMethod method, java.net.URI url,
+            java.lang.reflect.Type type) {
+    }
+
+    public RequestEntity(org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url) {
+    }
+
+    public RequestEntity(T body, org.springframework.util.MultiValueMap<java.lang.String, java.lang.String> headers,
+            org.springframework.http.HttpMethod method, java.net.URI url, java.lang.reflect.Type type) {
+    }
+
+    public java.net.URI getUrl() {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder method(org.springframework.http.HttpMethod method,
+            java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder get(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder head(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder post(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder put(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.BodyBuilder patch(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder delete(java.net.URI url) {
+        return null;
+    }
+
+    public static org.springframework.http.RequestEntity.HeadersBuilder options(java.net.URI url) {
+        return null;
+    }
+
+    class HeadersBuilder<K> {
+    }
+
+    public class BodyBuilder<T> {
+        public RequestEntity<T> body(Object body){return null;};
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/ResponseEntity.java

@@ -0,0 +1,12 @@
+package org.springframework.http;
+
+public class ResponseEntity<T> extends org.springframework.http.HttpEntity {
+
+    // private final java.lang.Object status;
+
+    // public ResponseEntity(org.springframework.http.HttpStatus status) {
+    // }
+
+    // public ResponseEntity(T body, org.springframework.http.HttpStatus status) {
+    // }
+ }

java/ql/test/stubs/springframework-5.2.3/org/springframework/http/client/ClientHttpResponse.java

@@ -0,0 +1,12 @@
+package org.springframework.http.client;
+
+public abstract interface ClientHttpResponse {
+
+    public abstract org.springframework.http.HttpStatus getStatusCode() throws java.io.IOException;
+
+    public abstract int getRawStatusCode() throws java.io.IOException;
+
+    public abstract java.lang.String getStatusText() throws java.io.IOException;
+
+    public abstract void close();
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RequestCallback.java

@@ -0,0 +1,4 @@
+package org.springframework.web.client;
+
+public abstract interface RequestCallback {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/ResponseExtractor.java

@@ -0,0 +1,4 @@
+package org.springframework.web.client;
+
+public abstract interface ResponseExtractor<K> {
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RestClientException.java

@@ -0,0 +1,12 @@
+package org.springframework.web.client;
+
+public class RestClientException extends Exception {
+
+    private static final long serialVersionUID = -4084444984163796577L;
+
+    public RestClientException(java.lang.String msg) {
+    }
+
+    public RestClientException(java.lang.String msg, java.lang.Throwable ex) {
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/client/RestTemplate.java

@@ -0,0 +1,237 @@
+package org.springframework.web.client;
+
+public class RestTemplate {
+
+    public <T> T getForObject(java.lang.String url, java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T getForObject(java.lang.String url, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T getForObject(java.net.URI url, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.lang.String url,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.lang.String url,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> getForEntity(java.net.URI url,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.lang.String url, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.lang.String url,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public org.springframework.http.HttpHeaders headForHeaders(java.net.URI url)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.lang.String url, java.lang.Object request,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.lang.String url, java.lang.Object request,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.net.URI postForLocation(java.net.URI url, java.lang.Object request)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T postForObject(java.net.URI url, java.lang.Object request, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.lang.String url, java.lang.Object request,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.lang.String url, java.lang.Object request,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> postForEntity(java.net.URI url, java.lang.Object request,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public void put(java.lang.String url, java.lang.Object request, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void put(java.lang.String url, java.lang.Object request, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void put(java.net.URI url, java.lang.Object request)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public <T> T patchForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T patchForObject(java.lang.String url, java.lang.Object request, java.lang.Class<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T patchForObject(java.net.URI url, java.lang.Object request, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public void delete(java.lang.String url, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void delete(java.lang.String url, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+    }
+
+    public void delete(java.net.URI url) throws org.springframework.web.client.RestClientException {
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.lang.String url,
+            java.lang.Object... uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.lang.String url,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public java.util.Set<org.springframework.http.HttpMethod> optionsForAllow(java.net.URI url)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType, java.util.Map<java.lang.String, ?> uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.net.URI url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            java.lang.Class<T> responseType) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.lang.String url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(java.net.URI url,
+            org.springframework.http.HttpMethod method, org.springframework.http.HttpEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(
+            org.springframework.http.RequestEntity<?> requestEntity, java.lang.Class<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> org.springframework.http.ResponseEntity<T> exchange(
+            org.springframework.http.RequestEntity<?> requestEntity,
+            org.springframework.core.ParameterizedTypeReference<T> responseType)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.lang.String url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor, java.lang.Object... uriVariables)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.lang.String url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor,
+            java.util.Map<java.lang.String, ?> uriVariables) throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    public <T> T execute(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    protected <T> T doExecute(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.web.client.RequestCallback requestCallback,
+            org.springframework.web.client.ResponseExtractor<T> responseExtractor)
+            throws org.springframework.web.client.RestClientException {
+        return null;
+    }
+
+    protected void handleResponse(java.net.URI url, org.springframework.http.HttpMethod method,
+            org.springframework.http.client.ClientHttpResponse response) throws java.io.IOException {
+    }
+}