Merge pull request #3454 from porcupineyhairs/javaSSRf

Java : add request forgery query

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates related to `org.apache.http.*`.
+ */
+
 import java
 
 class ApacheHttpGetParams extends Method {
@@ -13,3 +17,26 @@ class ApacheHttpEntityGetContent extends Method {
     this.getName() = "getContent"
   }
 }
+
+/**
+ * An HTTP request as represented by the Apache HTTP Client library. This is
+ * either `org.apache.http.client.methods.HttpRequestBase`,
+ * `org.apache.http.message.BasicHttpRequest`, or one of their subclasses.
+ */
+class ApacheHttpRequest extends RefType {
+  ApacheHttpRequest() {
+    this
+        .getASourceSupertype*()
+        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
+    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
+  }
+}
+
+/**
+ * The `org.apache.http.client.methods.RequestBuilder` class.
+ */
+class TypeApacheHttpRequestBuilder extends Class {
+  TypeApacheHttpRequestBuilder() {
+    this.hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
+  }
+}

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

@@ -170,6 +170,13 @@ class JaxRsResponseBuilder extends Class {
   JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
 }
 
+/**
+ * The class `javax.ws.rs.client.Client`.
+ */
+class JaxRsClient extends RefType {
+  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+}
+
 /**
  * A constructor that may be called by a JaxRS container to construct an instance to inject into a
  * resource method or resource class constructor.

java/ql/src/semmle/code/java/frameworks/Networking.qll

@@ -41,3 +41,91 @@ class SocketGetInputStreamMethod extends Method {
     hasNoParameters()
   }
 }
+
+/** A method or constructor call that returns a new `URI`. */
+class UriCreation extends Call {
+  UriCreation() {
+    this.getCallee().getDeclaringType() instanceof TypeUri and
+    (this instanceof ClassInstanceExpr or this.getCallee().hasName("create"))
+  }
+
+  /**
+   * Gets the host argument of the newly created URI. In the case where the
+   * host is specified separately, this is only the host. In the case where the
+   * uri is parsed from an input string, such as in
+   * `URI("http://foo.com/mypath")`, this is the entire argument passed in,
+   * that is `"http://foo.com/mypath"`.
+   */
+  Expr getHostArg() { none() }
+}
+
+/** A `java.net.URI` constructor call. */
+class UriConstructorCall extends ClassInstanceExpr, UriCreation {
+  override Expr getHostArg() {
+    // URI(String str)
+    result = this.getArgument(0) and this.getNumArgument() = 1
+    or
+    // URI(String scheme, String ssp, String fragment)
+    // URI(String scheme, String host, String path, String fragment)
+    // URI(String scheme, String authority, String path, String query, String fragment)
+    result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
+    or
+    // URI(String scheme, String userInfo, String host, int port, String path, String query,
+    //    String fragment)
+    result = this.getArgument(2) and this.getNumArgument() = 7
+  }
+}
+
+/** A call to `java.net.URI::create`. */
+class UriCreate extends UriCreation {
+  UriCreate() { this.getCallee().hasName("create") }
+
+  override Expr getHostArg() { result = this.getArgument(0) }
+}
+
+/** A `java.net.URL` constructor call. */
+class UrlConstructorCall extends ClassInstanceExpr {
+  UrlConstructorCall() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
+
+  /** Gets the host argument of the newly created URL. */
+  Expr getHostArg() {
+    // URL(String spec)
+    this.getNumArgument() = 1 and result = this.getArgument(0)
+    or
+    // URL(String protocol, String host, int port, String file)
+    // URL(String protocol, String host, int port, String file, URLStreamHandler handler)
+    this.getNumArgument() = [4, 5] and result = this.getArgument(1)
+    or
+    // URL(String protocol, String host, String file)
+    // but not
+    // URL(URL context, String spec, URLStreamHandler handler)
+    this.getNumArgument() = 3 and
+    this.getConstructor().getParameterType(2) instanceof TypeString and
+    result = this.getArgument(1)
+  }
+
+  /** Gets the argument that corresponds to the protocol of the URL. */
+  Expr protocolArg() {
+    // In all cases except where the first parameter is a URL, the argument
+    // containing the protocol is the first one, otherwise it is the second.
+    if this.getConstructor().getParameterType(0) instanceof TypeUrl
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+}
+
+/** The method `java.net.URL::openStream`. */
+class UrlOpenStreamMethod extends Method {
+  UrlOpenStreamMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openStream"
+  }
+}
+
+/** The method `java.net.URL::openConnection`. */
+class UrlOpenConnectionMethod extends Method {
+  UrlOpenConnectionMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openConnection"
+  }
+}

java/ql/src/semmle/code/java/frameworks/javase/Http.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides classes and predicates related to `java.net.http.*`.
+ */
+
+import java
+
+/** The interface representing `HttpRequest.Builder`. */
+class TypeHttpRequestBuilder extends Interface {
+  TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
+}
+
+/** The interface representing `java.net.http.HttpRequest`. */
+class TypeHttpRequest extends Interface {
+  TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
+}
+
+/** The `uri` method on `java.net.http.HttpRequest.Builder`. */
+class HttpBuilderUri extends Method {
+  HttpBuilderUri() {
+    this.getDeclaringType() instanceof TypeHttpRequestBuilder and
+    this.getName() = "uri"
+  }
+}