hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-11 13:40:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2525cfd786b985daa754cd06afeef588e0ea75ec
codeql/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll
Porcupiney Hairs 2525cfd786 include suggestions from review.
2020-11-13 00:28:06 +05:30

144 lines
4.2 KiB
Plaintext
Raw Blame History

/** A module to reason about request forgery vulnerabilities. */
import java
import semmle.code.java.frameworks.Networking
import semmle.code.java.frameworks.ApacheHttp
import semmle.code.java.frameworks.spring.Spring
import semmle.code.java.frameworks.JaxWS
import semmle.code.java.frameworks.javase.Http
import semmle.code.java.dataflow.DataFlow
/** A module to reason about request forgery vulnerabilities. */
module RequestForgery {
/** A data flow sink for request forgery vulnerabilities. */
abstract class Sink extends DataFlow::Node { }
/**
* An argument to an url `openConnection` or `openStream` call
* taken as a sink for request forgery vulnerabilities.
*/
private class UrlOpen extends Sink {
UrlOpen() {
exists(MethodAccess ma |
ma.getMethod() instanceof UrlOpenConnectionMethod or
ma.getMethod() instanceof UrlOpenStreamMethod
|
this.asExpr() = ma.getQualifier()
)
}
}
/**
* An argument to an Apache `setURI` call taken as a
* sink for request forgery vulnerabilities.
*/
private class ApacheSetUri extends Sink {
ApacheSetUri() {
exists(MethodAccess ma, TypeApacheHttpRequestBase t |
ma.getReceiverType().extendsOrImplements(t) and
ma.getMethod().hasName("setURI")
|
this.asExpr() = ma.getArgument(0)
)
}
}
/**
* An argument to any Apache Request Instantiation call taken as a
* sink for request forgery vulnerabilities.
*/
private class ApacheHttpRequestInstantiation extends Sink {
ApacheHttpRequestInstantiation() {
exists(ClassInstanceExpr c, TypeApacheHttpRequestBase t |
c.getConstructedType().extendsOrImplements(t)
|
this.asExpr() = c.getArgument(0)
)
}
}
/**
* An argument to a Apache RequestBuilder method call taken as a
* sink for request forgery vulnerabilities.
*/
private class ApacheHttpRequestBuilderArgument extends Sink {
ApacheHttpRequestBuilderArgument() {
exists(MethodAccess ma |
ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
|
this.asExpr() = ma.getArgument(0)
)
}
}
/**
* An argument to any Java.net.http.request Instantiation call taken as a
* sink for request forgery vulnerabilities.
*/
private class HttpRequestNewBuilder extends Sink {
HttpRequestNewBuilder() {
exists(MethodAccess call |
call.getCallee().hasName("newBuilder") and
call.getMethod().getDeclaringType().getName() = "HttpRequest"
|
this.asExpr() = call.getArgument(0)
)
}
}
/**
* An argument to an Http Builder `uri` call taken as a
* sink for request forgery vulnerabilities.
*/
private class HttpBuilderUriArgument extends Sink {
HttpBuilderUriArgument() {
exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
this.asExpr() = ma.getArgument(0)
)
}
}
/**
* An argument to a Spring Rest Template method call taken as a
* sink for request forgery vulnerabilities.
*/
private class SpringRestTemplateArgument extends Sink {
SpringRestTemplateArgument() {
exists(MethodAccess ma |
this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
)
}
}
/**
* An argument to `javax.ws.rs.Client`s `target` method call taken as a
* sink for request forgery vulnerabilities.
*/
private class JaxRsClientTarget extends Sink {
JaxRsClientTarget() {
exists(MethodAccess ma |
ma.getMethod().getDeclaringType() instanceof JaxRsClient and
ma.getMethod().hasName("target")
|
this.asExpr() = ma.getArgument(0)
)
}
}
/**
* A URI argument to `org.springframework.http.RequestEntity`s constructor call
* taken as a sink for request forgery vulnerabilities.
*/
private class RequestEntityUriArg extends Sink {
RequestEntityUriArg() {
exists(ClassInstanceExpr e, Argument a |
e.getConstructedType() instanceof SpringRequestEntity and
e.getAnArgument() = a and
a.getType() instanceof TypeUri and
this.asExpr() = a
)
}
}
}
Reference in New Issue View Git Blame Copy Permalink