Java: add more tests

Jami Cogswell · Jami Cogswell · commit 540b8391dc60 · 2023-04-13T09:12:55.000-04:00
diff --git a/java/ql/lib/ext/org.apache.hc.core5.http.impl.io.model.yml b/java/ql/lib/ext/org.apache.hc.core5.http.impl.io.model.yml
@@ -3,5 +3,6 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      # ! `DefaultClassicHttpRequestFactory` extends Object, no subclasses, implements `HttpRequestFactory`; HAS javadocs
       - ["org.apache.hc.core5.http.impl.io", "DefaultClassicHttpRequestFactory", True, "newHttpRequest", "(String,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.impl.io", "DefaultClassicHttpRequestFactory", True, "newHttpRequest", "(String,URI)", "", "Argument[1]", "%-url", "manual"]
diff --git a/java/ql/lib/ext/org.apache.hc.core5.http.impl.nio.model.yml b/java/ql/lib/ext/org.apache.hc.core5.http.impl.nio.model.yml
@@ -3,5 +3,6 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      # ! `DefaultHttpRequestFactory` extends Object, no subclasses; implements `HttpRequestFactory`; HAS javadocs
       - ["org.apache.hc.core5.http.impl.nio", "DefaultHttpRequestFactory", True, "newHttpRequest", "(String,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.impl.nio", "DefaultHttpRequestFactory", True, "newHttpRequest", "(String,URI)", "", "Argument[1]", "%-url", "manual"]
diff --git a/java/ql/lib/ext/org.apache.hc.core5.http.io.support.model.yml b/java/ql/lib/ext/org.apache.hc.core5.http.io.support.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      # ! ClassicRequestBuilder extends Object>AbstractMessageBuilder>AbstractRequestBuilder, no subclasses; does not really have javadocs
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "delete", "(String)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "delete", "(URI)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "get", "(String)", "", "Argument[0]", "%-url", "manual"]
@@ -17,7 +18,7 @@ extensions:
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "post", "(URI)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "put", "(String)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "put", "(URI)", "", "Argument[0]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "setHttpHost", "", "", "Argument[0]", "%-url", "manual"]  # ! ModelType: sink, Notes: possibly subtyped by AbstractRequestBuilder
+      - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "setHttpHost", "(HttpHost)", "", "Argument[0]", "%-url", "manual"]  # ! possibly subtyped by AbstractRequestBuilder
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.io.support", "ClassicRequestBuilder", True, "trace", "(String)", "", "Argument[0]", "%-url", "manual"]
diff --git a/java/ql/lib/ext/org.apache.hc.core5.http.message.model.yml b/java/ql/lib/ext/org.apache.hc.core5.http.message.model.yml
@@ -3,17 +3,19 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(Method,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]  # ! ModelType: sink, Notes:
+    # ! BasicClassicHttpRequest extends Object>HeaderGroup>BasicHttpRequest, implements Serializable, ClassicHttpRequest, HttpEntityContainer, HttpMessage, HttpRequest, MessageHeaders; has javadocs
+      - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(Method,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(Method,URI)", "", "Argument[1]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]  # ! ModelType: sink, Notes:
+      - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.message", "BasicClassicHttpRequest", True, "BasicClassicHttpRequest", "(String,URI)", "", "Argument[1]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(Method,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]                # ! ModelType: sink, Notes:
+      # ! BasicHttpRequest extends Object>HeaderGroup, subclass is BasicClassicHttpRequest, implements Serializable, HttpMessage, HttpRequest, MessageHeaders; has javadocs
+      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(Method,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(Method,URI)", "", "Argument[1]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]                # ! ModelType: sink, Notes:
+      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "BasicHttpRequest", "(String,URI)", "", "Argument[1]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "setUri", "", "", "Argument[0]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "HttpRequestWrapper", True, "setUri", "", "", "Argument[0]", "%-url", "manual"]
-      - ["org.apache.hc.core5.http.message", "RequestLine", True, "RequestLine", "(String,String,ProtocolVersion)", "", "Argument[1]", "%-url", "manual"] # ! already a taint step
+      - ["org.apache.hc.core5.http.message", "BasicHttpRequest", True, "setUri", "(URI)", "", "Argument[0]", "%-url", "manual"]
+      # ! HttpRequestWrapper extends Object>AbstractMessageWrapper, no subclasses, implements HttpMessage, HttpRequest, MessageHeaders; has javadocs
+      - ["org.apache.hc.core5.http.message", "HttpRequestWrapper", True, "setUri", "(URI)", "", "Argument[0]", "%-url", "manual"]
 
   - addsTo:
       pack: codeql/java-all
diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttp5SSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttp5SSRF.java
@@ -29,8 +29,17 @@
 import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
 
 import org.apache.hc.client5.http.fluent.Request;
-// import org.apache.hc.client5.http.protocol.RedirectLocations;
-// import org.apache.hc.client5.http.utils.URIUtils;
+
+import org.apache.hc.core5.http.impl.bootstrap.HttpAsyncRequester;
+import org.apache.hc.core5.http.impl.io.DefaultClassicHttpRequestFactory;
+import org.apache.hc.core5.http.impl.nio.DefaultHttpRequestFactory;
+
+import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;
+
+import org.apache.hc.core5.http.message.BasicClassicHttpRequest;
+import org.apache.hc.core5.http.message.BasicHttpRequest;
+import org.apache.hc.core5.http.message.HttpRequestWrapper;
+
 
 public class ApacheHttp5SSRF extends HttpServlet {
 
@@ -285,4 +294,119 @@ protected void doGet3(HttpServletRequest request, HttpServletResponse response)
             // TODO: handle exception
         }
     }
+
+    // org.apache.hc.core5.http.impl.bootstrap
+    // org.apache.hc.core5.http.impl.io
+    // org.apache.hc.core5.http.impl.nio
+    protected void doGet4(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String uriSink = request.getParameter("uri");
+            URI uri = new URI(uriSink);
+
+            String hostSink = request.getParameter("host");
+            HttpHost host = new HttpHost(hostSink);
+
+            // org.apache.hc.core5.http.impl.bootstrap
+            //AsyncRequesterBootstrap asyncReq = new AsyncRequesterBootstrap();
+            HttpAsyncRequester httpAsyncReq = new HttpAsyncRequester(null, null, null, null, null, null);
+            httpAsyncReq.connect(host, null); // $ SSRF
+            httpAsyncReq.connect(host, null, null, null); // $ SSRF
+
+            // org.apache.hc.core5.http.impl.io
+            DefaultClassicHttpRequestFactory defClassicHttpReqFact = new DefaultClassicHttpRequestFactory();
+            defClassicHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF
+            defClassicHttpReqFact.newHttpRequest("method", uri); // $ SSRF
+
+            // org.apache.hc.core5.http.impl.nio
+            DefaultHttpRequestFactory defHttpReqFact = new DefaultHttpRequestFactory();
+            defHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF
+            defHttpReqFact.newHttpRequest("method", uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+
+    // org.apache.hc.core5.http.io.support
+    protected void doGet5(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String uriSink = request.getParameter("uri");
+            URI uri = new URI(uriSink);
+
+            String hostSink = request.getParameter("host");
+            HttpHost host = new HttpHost(hostSink);
+
+            // org.apache.hc.core5.http.io.support.ClassicRequestBuilder
+            ClassicRequestBuilder.delete(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.delete(uri); // $ SSRF
+
+            ClassicRequestBuilder.get(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.get(uri); // $ SSRF
+
+            ClassicRequestBuilder.head(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.head(uri); // $ SSRF
+
+            ClassicRequestBuilder.options(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.options(uri); // $ SSRF
+
+            ClassicRequestBuilder.patch(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.patch(uri); // $ SSRF
+
+            ClassicRequestBuilder.post(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.post(uri); // $ SSRF
+
+            ClassicRequestBuilder.put(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.put(uri); // $ SSRF
+
+            ClassicRequestBuilder.get().setHttpHost(host); // $ SSRF
+
+            ClassicRequestBuilder.get().setUri(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.get().setUri(uri); // $ SSRF
+
+            ClassicRequestBuilder.trace(uri.toString()); // $ SSRF
+            ClassicRequestBuilder.trace(uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+
+    // org.apache.hc.core5.http.message
+    protected void doGet6(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String uriSink = request.getParameter("uri");
+            URI uri = new URI(uriSink);
+
+            String hostSink = request.getParameter("host");
+            HttpHost host = new HttpHost(hostSink);
+
+            // BasicClassicHttpRequest
+            new BasicClassicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF
+            new BasicClassicHttpRequest(Method.CONNECT, uri); // $ SSRF
+            new BasicClassicHttpRequest("method", host, "path"); // $ SSRF
+            new BasicClassicHttpRequest("method", uri); // $ SSRF
+
+            // BasicHttpRequest
+            new BasicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF
+            new BasicHttpRequest(Method.CONNECT, uri); // $ SSRF
+            new BasicHttpRequest("method", host, "path"); // $ SSRF
+            new BasicHttpRequest("method", uri); // $ SSRF
+            BasicHttpRequest bhr = new BasicHttpRequest("method", "path");
+            bhr.setUri(uri); // $ SSRF
+
+            // HttpRequestWrapper
+            HttpRequestWrapper hrw = new HttpRequestWrapper(null);
+            hrw.setUri(uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+
 }
