Skip to content

Java: add more Spring RestTemplate request forgery sinks #20930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Java: add more Spring RestTemplate request forgery sinks #20930

wants to merge 4 commits into from
+502 −145

Conversation

@owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Nov 28, 2025
edited
Loading

This is an extension of #18153 to include all the other methods on the class RestTemplate which have a parameter named uriVariables. They should all be request forgery sinks, but the original PR only did it for getForObject.

It is hard to do performance analysis or evaluate precision because they are very few uses of these APIs in public repos. (We know from customer feedback that they are used in enterprise code.) I looked at the tuple counts from running the query on the test and didn't see any sign of bad join orders.

Copilot AI review requested due to automatic review settings November 28, 2025 00:00
@owen-mc owen-mc requested a review from a team as a code owner November 28, 2025 00:00
Copilot finished reviewing on behalf of owen-mc November 28, 2025 00:02
Copilot AI reviewed Nov 28, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends SSRF (Server-Side Request Forgery) detection for Spring RestTemplate to include all methods with uriVariables parameters, not just getForObject. This addresses customer feedback about enterprise code usage patterns that weren't previously covered.

Key changes:

  • Refactored specific getForObject sink detection to a generic approach covering all RestTemplate methods with uriVariables parameters
  • Added comprehensive test coverage for all 11 affected methods (delete, exchange, execute, getForEntity, getForObject, headForHeaders, optionsForAllow, patchForObject, postForEntity, postForLocation, postForObject, put)
  • Updated expected test results to reflect the expanded sink detection

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll Refactored sink detection from method-specific to generic class that handles all RestTemplate methods with uriVariables parameters; added method position mapping
java/ql/test/query-tests/security/CWE-918/SpringSSRF.java Added comprehensive test cases for all 11 RestTemplate methods with various URL patterns and variable substitution scenarios
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected Updated expected results to include new alerts from expanded RestTemplate method coverage
java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md Added change note documenting the expansion of SSRF sink detection

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll Outdated
Comment on lines 90 to 91
private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink {
SpringWebClientRestTemplateGetForObject() {
Copy link

Copilot AI Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The class name SpringWebClientRestTemplateGetForObject is misleading since it now handles all RestTemplate methods with uriVariables parameters, not just getForObject. Consider renaming to something more general like SpringWebClientRestTemplateUriVariables to better reflect its purpose.

Suggested change
private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink {
SpringWebClientRestTemplateGetForObject() {
private class SpringWebClientRestTemplateUriVariables extends RequestForgerySink {
SpringWebClientRestTemplateUriVariables() {

Copilot uses AI. Check for mistakes.
java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll Outdated
exists(SpringRestTemplateGetForObjectMethodCall mc, int i |
exists(SpringRestTemplateMethodWithUriVariablesParameter m, MethodCall mc, int i |
// Note that the first argument is modeled as a request forgery sink
// separately. This model is for arguments beyond the first two. There
Copy link

Copilot AI Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment "arguments beyond the first two" is inaccurate for some methods. For example, delete has uriVariables at position 1, making it "arguments beyond the first", and headForHeaders/optionsForAllow also have uriVariables at position 1. Consider updating to "arguments beyond the URL parameter" or a similar generic description.

Suggested change
// separately. This model is for arguments beyond the first two. There
// separately. This model is for arguments beyond the URL parameter (i.e., those corresponding to `uriVariables`). There

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@owen-mc