Skip to content

Commit aac4f63

Browse files
d10cd10c
committed
Java: convert RequestForgery test to .qlref
1 parent 7f05b72 commit aac4f63

14 files changed

+2198
-388
lines changed

java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -24,38 +24,38 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
2424
throws ServletException, IOException {
2525
try {
2626

27-
String sink = request.getParameter("uri");
27+
String sink = request.getParameter("uri"); // $ Source
2828
URI uri = new URI(sink);
2929

30-
HttpGet httpGet = new HttpGet(uri); // $ SSRF
30+
HttpGet httpGet = new HttpGet(uri); // $ Alert
3131
HttpGet httpGet2 = new HttpGet();
32-
httpGet2.setURI(uri); // $ SSRF
32+
httpGet2.setURI(uri); // $ Alert
3333

34-
new HttpHead(uri); // $ SSRF
35-
new HttpPost(uri); // $ SSRF
36-
new HttpPut(uri); // $ SSRF
37-
new HttpDelete(uri); // $ SSRF
38-
new HttpOptions(uri); // $ SSRF
39-
new HttpTrace(uri); // $ SSRF
40-
new HttpPatch(uri); // $ SSRF
34+
new HttpHead(uri); // $ Alert
35+
new HttpPost(uri); // $ Alert
36+
new HttpPut(uri); // $ Alert
37+
new HttpDelete(uri); // $ Alert
38+
new HttpOptions(uri); // $ Alert
39+
new HttpTrace(uri); // $ Alert
40+
new HttpPatch(uri); // $ Alert
4141

42-
new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
43-
new BasicHttpRequest("GET", uri.toString()); // $ SSRF
44-
new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF
42+
new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert
43+
new BasicHttpRequest("GET", uri.toString()); // $ Alert
44+
new BasicHttpRequest("GET", uri.toString(), null); // $ Alert
4545

46-
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
47-
new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF
48-
new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF
46+
new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert
47+
new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ Alert
48+
new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ Alert
4949

50-
RequestBuilder.get(uri); // $ SSRF
51-
RequestBuilder.post(uri); // $ SSRF
52-
RequestBuilder.put(uri); // $ SSRF
53-
RequestBuilder.delete(uri); // $ SSRF
54-
RequestBuilder.options(uri); // $ SSRF
55-
RequestBuilder.head(uri); // $ SSRF
56-
RequestBuilder.trace(uri); // $ SSRF
57-
RequestBuilder.patch(uri); // $ SSRF
58-
RequestBuilder.get("").setUri(uri); // $ SSRF
50+
RequestBuilder.get(uri); // $ Alert
51+
RequestBuilder.post(uri); // $ Alert
52+
RequestBuilder.put(uri); // $ Alert
53+
RequestBuilder.delete(uri); // $ Alert
54+
RequestBuilder.options(uri); // $ Alert
55+
RequestBuilder.head(uri); // $ Alert
56+
RequestBuilder.trace(uri); // $ Alert
57+
RequestBuilder.patch(uri); // $ Alert
58+
RequestBuilder.get("").setUri(uri); // $ Alert
5959

6060
} catch (Exception e) {
6161
// TODO: handle exception

java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java

Lines changed: 188 additions & 188 deletions
Large diffs are not rendered by default.

java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ public class JakartaWsSSRF extends HttpServlet {
1111
protected void doGet(HttpServletRequest request, HttpServletResponse response)
1212
throws ServletException, IOException {
1313
Client client = ClientBuilder.newClient();
14-
String url = request.getParameter("url");
15-
client.target(url); // $ SSRF
14+
String url = request.getParameter("url"); // $ Source
15+
client.target(url); // $ Alert
1616
}
1717

1818
}

java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -22,21 +22,21 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
2222
throws ServletException, IOException {
2323
try {
2424

25-
String sink = request.getParameter("uri");
25+
String sink = request.getParameter("uri"); // $ Source
2626
URI uri = new URI(sink);
2727
URI uri2 = new URI("http", sink, "fragement");
2828
URL url1 = new URL(sink);
2929

30-
URLConnection c1 = url1.openConnection(); // $ SSRF
30+
URLConnection c1 = url1.openConnection(); // $ Alert
3131
SocketAddress sa = new SocketAddress() {
3232
};
33-
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
34-
InputStream c3 = url1.openStream(); // $ SSRF
33+
URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ Alert
34+
InputStream c3 = url1.openStream(); // $ Alert
3535

3636
// java.net.http
3737
HttpClient client = HttpClient.newHttpClient();
38-
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
39-
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
38+
HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ Alert
39+
HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ Alert
4040

4141
} catch (Exception e) {
4242
// TODO: handle exception

java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ public class JaxWsSSRF extends HttpServlet {
1111
protected void doGet(HttpServletRequest request, HttpServletResponse response)
1212
throws ServletException, IOException {
1313
Client client = ClientBuilder.newClient();
14-
String url = request.getParameter("url");
15-
client.target(url); // $ SSRF
14+
String url = request.getParameter("url"); // $ Source
15+
client.target(url); // $ Alert
1616
}
1717

1818
}

java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java

Lines changed: 29 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -17,75 +17,75 @@ public class JdbcUrlSSRF extends HttpServlet {
1717

1818
protected void doGet(HttpServletRequest request, HttpServletResponse response)
1919
throws ServletException, IOException {
20-
21-
String jdbcUrl = request.getParameter("jdbcUrl");
20+
21+
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
2222
Driver driver = new org.postgresql.Driver();
2323
DataSourceBuilder dsBuilder = DataSourceBuilder.create();
24-
24+
2525
try {
26-
driver.connect(jdbcUrl, null); // $ SSRF
26+
driver.connect(jdbcUrl, null); // $ Alert
2727

28-
DriverManager.getConnection(jdbcUrl); // $ SSRF
29-
DriverManager.getConnection(jdbcUrl, "user", "password"); // $ SSRF
30-
DriverManager.getConnection(jdbcUrl, null); // $ SSRF
28+
DriverManager.getConnection(jdbcUrl); // $ Alert
29+
DriverManager.getConnection(jdbcUrl, "user", "password"); // $ Alert
30+
DriverManager.getConnection(jdbcUrl, null); // $ Alert
3131

32-
dsBuilder.url(jdbcUrl); // $ SSRF
32+
dsBuilder.url(jdbcUrl); // $ Alert
3333
}
3434
catch(SQLException e) {}
3535
}
3636

3737
protected void doPost(HttpServletRequest request, HttpServletResponse response)
3838
throws ServletException, IOException {
39-
40-
String jdbcUrl = request.getParameter("jdbcUrl");
39+
40+
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
4141
HikariConfig config = new HikariConfig();
4242

43-
config.setJdbcUrl(jdbcUrl); // $ SSRF
43+
config.setJdbcUrl(jdbcUrl); // $ Alert
4444
config.setUsername("database_username");
4545
config.setPassword("database_password");
4646

4747
HikariDataSource ds = new HikariDataSource();
48-
ds.setJdbcUrl(jdbcUrl); // $ SSRF
48+
ds.setJdbcUrl(jdbcUrl); // $ Alert
4949

5050
Properties props = new Properties();
5151
props.setProperty("driverClassName", "org.postgresql.Driver");
5252
props.setProperty("jdbcUrl", jdbcUrl);
5353

54-
HikariConfig config2 = new HikariConfig(props); // $ SSRF
54+
HikariConfig config2 = new HikariConfig(props); // $ Alert
5555
}
5656

5757
protected void doPut(HttpServletRequest request, HttpServletResponse response)
5858
throws ServletException, IOException {
5959

60-
String jdbcUrl = request.getParameter("jdbcUrl");
61-
60+
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
61+
6262
DriverManagerDataSource dataSource = new DriverManagerDataSource();
63-
63+
6464
dataSource.setDriverClassName("org.postgresql.Driver");
65-
dataSource.setUrl(jdbcUrl); // $ SSRF
65+
dataSource.setUrl(jdbcUrl); // $ Alert
6666

67-
DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ SSRF
67+
DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ Alert
6868
dataSource2.setDriverClassName("org.postgresql.Driver");
6969

70-
DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ SSRF
70+
DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ Alert
7171
dataSource3.setDriverClassName("org.postgresql.Driver");
7272

73-
DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ SSRF
73+
DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ Alert
7474
dataSource4.setDriverClassName("org.postgresql.Driver");
7575
}
7676

7777
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
7878
throws ServletException, IOException {
7979

80-
String jdbcUrl = request.getParameter("jdbcUrl");
80+
String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source
8181

82-
Jdbi.create(jdbcUrl); // $ SSRF
83-
Jdbi.create(jdbcUrl, null); // $ SSRF
84-
Jdbi.create(jdbcUrl, "user", "pass"); // $ SSRF
82+
Jdbi.create(jdbcUrl); // $ Alert
83+
Jdbi.create(jdbcUrl, null); // $ Alert
84+
Jdbi.create(jdbcUrl, "user", "pass"); // $ Alert
8585

86-
Jdbi.open(jdbcUrl); // $ SSRF
87-
Jdbi.open(jdbcUrl, null); // $ SSRF
88-
Jdbi.open(jdbcUrl, "user", "pass"); // $ SSRF
86+
Jdbi.open(jdbcUrl); // $ Alert
87+
Jdbi.open(jdbcUrl, null); // $ Alert
88+
Jdbi.open(jdbcUrl, "user", "pass"); // $ Alert
8989
}
90-
91-
}
90+
91+
}

java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@ public class ReactiveWebClientSSRF extends HttpServlet {
1212
protected void doGet(HttpServletRequest request, HttpServletResponse response)
1313
throws ServletException, IOException {
1414
try {
15-
String url = request.getParameter("uri");
16-
WebClient webClient = WebClient.create(url); // $ SSRF
15+
String url = request.getParameter("uri"); // $ Source
16+
WebClient webClient = WebClient.create(url); // $ Alert
1717

1818
Mono<String> result = webClient.get()
1919
.uri("/")
@@ -29,10 +29,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
2929
protected void doPost(HttpServletRequest request, HttpServletResponse response)
3030
throws ServletException, IOException {
3131
try {
32-
String url = request.getParameter("uri");
32+
String url = request.getParameter("uri"); // $ Source
3333
WebClient webClient = WebClient.builder()
3434
.defaultHeader("User-Agent", "Java")
35-
.baseUrl(url) // $ SSRF
35+
.baseUrl(url) // $ Alert
3636
.build();
3737

3838

@@ -46,4 +46,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
4646
// Ignore
4747
}
4848
}
49-
}
49+
}

0 commit comments

Comments
 (0)