Skip to content

Commit a149c41

Browse files
jcogs33jcogs33
authored
Merge pull request github#12155 from jcogs33/jcogs33/add-heuristic-ssrf-models
Java: add ssrf models discovered with heuristics
2 parents bb8c3de + 25786f6 commit a149c41

File tree

137 files changed

+3075
-778
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

137 files changed

+3075
-778
lines changed

java/ql/lib/change-notes/2023-04-06-add-apache-models.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added models for [Apache HttpComponents](https://hc.apache.org/) versions 4 and 5.

java/ql/lib/ext/io.netty.handler.codec.http.model.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ extensions:
55
data:
66
- ["io.netty.handler.codec.http", "DefaultFullHttpRequest", True, "DefaultFullHttpRequest", "(HttpVersion,HttpMethod,String,ByteBuf)", "", "Argument[2]", "open-url", "ai-manual"]
77
- ["io.netty.handler.codec.http", "DefaultHttpRequest", True, "DefaultHttpRequest", "(HttpVersion,HttpMethod,String)", "", "Argument[2]", "open-url", "ai-manual"]
8+
- ["io.netty.handler.codec.http", "HttpRequest", True, "setUri", "", "", "Argument[0]", "open-url", "manual"]
89
- addsTo:
910
pack: codeql/java-all
1011
extensible: summaryModel
@@ -67,12 +68,11 @@ extensions:
6768
- ["io.netty.handler.codec.http", "HttpHeaders", True, "valueCharSequenceIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
6869
- ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapKey", "ReturnValue", "taint", "manual"]
6970
- ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
70-
# Currently all write steps to http messages are taint flow. It may reduce FPs to use a synthetic field for headers instead.
71+
# Currently all write steps to http messages are taint flow. It may reduce FPs to use a synthetic field for headers instead.
7172
- ["io.netty.handler.codec.http", "HttpMessage", True, "headers", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7273
- ["io.netty.handler.codec.http", "LastHttpContent", True, "trailingHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7374
- ["io.netty.handler.codec.http", "HttpRequest", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7475
- ["io.netty.handler.codec.http", "HttpRequest", True, "uri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
75-
- ["io.netty.handler.codec.http", "HttpRequest", True, "setUri", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
7676
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "QueryStringDecoder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
7777
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "decodeComponent", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
7878
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "parameters", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/org.apache.hc.client5.http.async.methods.model.yml

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sinkModel
5+
data:
6+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "create", "(Method,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
7+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "create", "(Method,String)", "", "Argument[1]", "open-url", "hq-manual"]
8+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "create", "(Method,URI)", "", "Argument[1]", "open-url", "hq-manual"]
9+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "create", "(String,String)", "", "Argument[1]", "open-url", "hq-manual"]
10+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "create", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]
11+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "delete", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
12+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "delete", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
13+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "delete", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
14+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "get", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
15+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "get", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
16+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "get", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
17+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "head", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
18+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "head", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
19+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "head", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
20+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "options", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
21+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "options", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
22+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "options", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
23+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "patch", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
24+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "patch", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
25+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "patch", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
26+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "post", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
27+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "post", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
28+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "post", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
29+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "put", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
30+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "put", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
31+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "put", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
32+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "trace", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
33+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "trace", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
34+
- ["org.apache.hc.client5.http.async.methods", "BasicHttpRequests", True, "trace", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
35+
- ["org.apache.hc.client5.http.async.methods", "ConfigurableHttpRequest", True, "ConfigurableHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
36+
- ["org.apache.hc.client5.http.async.methods", "ConfigurableHttpRequest", True, "ConfigurableHttpRequest", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]
37+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "SimpleHttpRequest", "(Method,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
38+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "SimpleHttpRequest", "(Method,URI)", "", "Argument[1]", "open-url", "hq-manual"]
39+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "SimpleHttpRequest", "(String,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
40+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "SimpleHttpRequest", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]
41+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "create", "(Method,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
42+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "create", "(Method,URI)", "", "Argument[1]", "open-url", "hq-manual"]
43+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "create", "(String,String)", "", "Argument[1]", "open-url", "hq-manual"]
44+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequest", True, "create", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]
45+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "create", "(Method,HttpHost,String)", "", "Argument[1]", "open-url", "hq-manual"]
46+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "create", "(Method,String)", "", "Argument[1]", "open-url", "hq-manual"]
47+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "create", "(Method,URI)", "", "Argument[1]", "open-url", "hq-manual"]
48+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "create", "(String,String)", "", "Argument[1]", "open-url", "hq-manual"]
49+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "create", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]
50+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "delete", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
51+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "delete", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
52+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "delete", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
53+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "get", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
54+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "get", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
55+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "get", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
56+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "head", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
57+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "head", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
58+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "head", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
59+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "options", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
60+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "options", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
61+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "options", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
62+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "patch", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
63+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "patch", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
64+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "patch", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
65+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "post", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
66+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "post", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
67+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "post", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
68+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "put", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
69+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "put", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
70+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "put", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
71+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "trace", "(HttpHost,String)", "", "Argument[0]", "open-url", "hq-manual"]
72+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "trace", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
73+
- ["org.apache.hc.client5.http.async.methods", "SimpleHttpRequests", True, "trace", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
74+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "delete", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
75+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "delete", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
76+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "get", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
77+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "get", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
78+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "head", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
79+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "head", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
80+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "options", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
81+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "options", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
82+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "patch", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
83+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "patch", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
84+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "post", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
85+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "post", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
86+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "put", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
87+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "put", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
88+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "trace", "(String)", "", "Argument[0]", "open-url", "hq-manual"]
89+
- ["org.apache.hc.client5.http.async.methods", "SimpleRequestBuilder", True, "trace", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]

0 commit comments

Comments
 (0)