java.net tests

atorralba · atorralba · commit 452b9d11dba8 · 2023-03-14T11:43:23.000+01:00
diff --git a/java/ql/test/library-tests/frameworks/jdk/java.net/Test.java b/java/ql/test/library-tests/frameworks/jdk/java.net/Test.java
@@ -1,5 +1,7 @@
 package generatedtest;
 
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLDecoder;
@@ -16,6 +18,27 @@ void sink(Object o) {}
 
 	public void test() throws Exception {
 
+		{
+			// "java.net;InetAddress;true;getByName;(String);;Argument[0];ReturnValue;taint;ai-generated"
+			InetAddress out = null;
+			String in = (String) source();
+			out = InetAddress.getByName(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.net;InetSocketAddress;true;InetSocketAddress;(String,int);;Argument[0];Argument[-1];taint;ai-generated"
+			InetSocketAddress out = null;
+			String in = (String) source();
+			out = new InetSocketAddress(in, 0);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.net;InetSocketAddress;true;createUnresolved;(String,int);;Argument[0];ReturnValue;taint;ai-generated"
+			InetSocketAddress out = null;
+			String in = (String) source();
+			out = InetSocketAddress.createUnresolved(in, 0);
+			sink(out); // $ hasTaintFlow
+		}
 		{
 			// "java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual"
 			URI out = null;
@@ -30,6 +53,22 @@ public void test() throws Exception {
 			out = URI.create(in);
 			sink(out); // $ hasTaintFlow
 		}
+		{
+			// "java.net;URI;false;resolve;(String);;Argument[0];ReturnValue;taint;ai-generated"
+			URI out = null;
+			String in = (String) source();
+			URI instance = null;
+			out = instance.resolve(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.net;URI;false;resolve;(URI);;Argument[0];ReturnValue;taint;ai-generated"
+			URI out = null;
+			URI in = (URI) source();
+			URI instance = null;
+			out = instance.resolve(in);
+			sink(out); // $ hasTaintFlow
+		}
 		{
 			// "java.net;URI;false;toASCIIString;;;Argument[-1];ReturnValue;taint;manual"
 			String out = null;
@@ -58,6 +97,20 @@ public void test() throws Exception {
 			out = new URL(in);
 			sink(out); // $ hasTaintFlow
 		}
+		{
+			// "java.net;URL;false;URL;(URL,String);;Argument[0];Argument[-1];taint;ai-generated"
+			URL out = null;
+			URL in = (URL) source();
+			out = new URL(in, null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.net;URL;false;URL;(URL,String);;Argument[1];Argument[-1];taint;ai-generated"
+			URL out = null;
+			String in = (String) source();
+			out = new URL(null, in);
+			sink(out); // $ hasTaintFlow
+		}
 		{
 			// "java.net;URL;false;toExternalForm;;;Argument[-1];ReturnValue;taint;manual"
 			String out = null;
diff --git a/java/ql/test/query-tests/security/CWE-918/mad/Test.java b/java/ql/test/query-tests/security/CWE-918/mad/Test.java
@@ -1,22 +1,58 @@
+import java.net.DatagramSocket;
+import java.net.Proxy;
+import java.net.Socket;
+import java.net.SocketAddress;
 import java.net.URL;
+import java.net.URLClassLoader;
 import javax.servlet.http.HttpServletRequest;
 import javafx.scene.web.WebEngine;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
 
 public class Test {
 
-    public static Object source(HttpServletRequest request) {
+    private static HttpServletRequest request;
+
+    public static Object source() {
         return request.getParameter(null);
     }
 
+    public void test(DatagramSocket socket) throws Exception {
+        // "java.net;DatagramSocket;true;connect;(SocketAddress);;Argument[0];open-url;ai-generated"
+        socket.connect((SocketAddress) source()); // $ SSRF
+    }
+
+    public void test(URL url) throws Exception {
+        // "java.net;URL;false;openConnection;(Proxy);:Argument[-1]:open-url;manual"
+        ((URL) source()).openConnection(); // $ SSRF
+        // "java.net;URL;false;openConnection;(Proxy);:Argument[0]:open-url;ai-generated"
+        url.openConnection((Proxy) source()); // $ SSRF
+        // "java.net;URL;false;openStream;;:Argument[-1]:open-url;manual"
+        ((URL) source()).openStream(); // $ SSRF
+    }
+
+    public void test(URLClassLoader cl) throws Exception {
+        // "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader);;Argument[1];open-url;manual"
+        new URLClassLoader("", (URL[]) source(), null); // $ SSRF
+        // "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader,URLStreamHandlerFactory);;Argument[1];open-url;manual"
+        new URLClassLoader("", (URL[]) source(), null, null); // $ SSRF
+        // "java.net;URLClassLoader;false;URLClassLoader;(URL[]);;Argument[0];open-url;manual"
+        new URLClassLoader((URL[]) source()); // $ SSRF
+        // "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader);;Argument[0];open-url;manual"
+        new URLClassLoader((URL[]) source(), null); // $ SSRF
+        // "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader,URLStreamHandlerFactory);;Argument[0];open-url;manual"
+        new URLClassLoader((URL[]) source(), null, null); // $ SSRF
+        // "java.net;URLClassLoader;false;newInstance;;;Argument[0];open-url;manual"
+        URLClassLoader.newInstance((URL[]) source()); // $ SSRF
+    }
+
     public void test(WebEngine webEngine) {
         // "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated"
-        webEngine.load((String) source(null)); // $ SSRF
+        webEngine.load((String) source()); // $ SSRF
     }
 
-    public void test() {
+    public void test(ZipURLInstaller zui) {
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated"
-        new ZipURLInstaller((URL) source(null), "", ""); // $ SSRF
+        new ZipURLInstaller((URL) source(), "", ""); // $ SSRF
     }
 
 }
