hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.23.7
codeql/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java
Nora Dimitrijević aac4f63e9a Java: convert RequestForgery test to .qlref
2025-06-24 16:42:32 +02:00

100 lines
3.8 KiB
Java
Raw Permalink Blame History

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.net.URLClassLoader;
import java.net.URLStreamHandlerFactory;
public class URLClassLoaderSSRF extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ Alert
Class<?> test = urlClassLoader.loadClass("test");
} catch (Exception e) {
// Ignore
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ Alert
Class<?> test = urlClassLoader.loadClass("test");
} catch (Exception e) {
// Ignore
}
}
protected void doPut(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLStreamHandlerFactory urlStreamHandlerFactory = null;
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ Alert
urlClassLoader.findResource("test");
} catch (Exception e) {
// Ignore
}
}
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ Alert
urlClassLoader.getResourceAsStream("test");
} catch (Exception e) {
// Ignore
}
}
protected void doOptions(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLClassLoader urlClassLoader =
new URLClassLoader("testClassLoader",
new URL[]{uri.toURL()}, // $ Alert
URLClassLoaderSSRF.class.getClassLoader()
);
Class<?> rceTest = urlClassLoader.loadClass("RCETest");
} catch (Exception e) {
// Ignore
}
}
protected void doTrace(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String url = request.getParameter("uri"); // $ Source
URI uri = new URI(url);
URLStreamHandlerFactory urlStreamHandlerFactory = null;
URLClassLoader urlClassLoader =
new URLClassLoader("testClassLoader",
new URL[]{uri.toURL()}, // $ Alert
URLClassLoaderSSRF.class.getClassLoader(),
urlStreamHandlerFactory
);
Class<?> rceTest = urlClassLoader.loadClass("RCETest");
} catch (Exception e) {
// Ignore
}
}
}
Reference in New Issue View Git Blame Copy Permalink