Add Jakarta WS url-open sink

smowton · smowton · commit 11b70326fd90 · 2021-06-17T11:58:41.000+01:00
diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -789,6 +789,10 @@ private class UriBuilderModel extends SummaryModelCsv {
 
 private class JaxRsUrlOpenSink extends SinkModelCsv {
   override predicate row(string row) {
-    row = ["javax.ws.rs.client;Client;true;target;;;Argument[0];open-url"]
+    row =
+      [
+        "javax.ws.rs.client;Client;true;target;;;Argument[0];open-url",
+        "jakarta.ws.rs.client;Client;true;target;;;Argument[0];open-url"
+      ]
   }
 }
diff --git a/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java b/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java
@@ -0,0 +1,18 @@
+import jakarta.ws.rs.client.*;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JakartaWsSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        Client client = ClientBuilder.newClient();
+        String url = request.getParameter("url");
+        client.target(url); // $ SSRF
+    }
+
+}
diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java
@@ -15,23 +15,23 @@
  */
 
 package javax.ws.rs.client;
-// import java.net.URI;
+import java.net.URI;
 import javax.ws.rs.core.Configurable;
-// import javax.ws.rs.core.Link;
-// import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.Link;
+import javax.ws.rs.core.UriBuilder;
 // import javax.net.ssl.HostnameVerifier;
 // import javax.net.ssl.SSLContext;
 
 public interface Client extends Configurable<Client> {
     public void close();
 
-    // public WebTarget target(String uri);
+    public WebTarget target(String uri);
 
-    // public WebTarget target(URI uri);
+    public WebTarget target(URI uri);
 
-    // public WebTarget target(UriBuilder uriBuilder);
+    public WebTarget target(UriBuilder uriBuilder);
 
-    // public WebTarget target(Link link);
+    public WebTarget target(Link link);
 
     // public Invocation.Builder invocation(Link link);
 
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java
@@ -15,23 +15,23 @@
  */
 
 package jakarta.ws.rs.client;
-// import java.net.URI;
+import java.net.URI;
 // import javax.net.ssl.HostnameVerifier;
 // import javax.net.ssl.SSLContext;
 import jakarta.ws.rs.core.Configurable;
-// import jakarta.ws.rs.core.Link;
-// import jakarta.ws.rs.core.UriBuilder;
+import jakarta.ws.rs.core.Link;
+import jakarta.ws.rs.core.UriBuilder;
 
 public interface Client extends Configurable<Client> {
     public void close();
 
-    // public WebTarget target(String uri);
+    public WebTarget target(String uri);
 
-    // public WebTarget target(URI uri);
+    public WebTarget target(URI uri);
 
-    // public WebTarget target(UriBuilder uriBuilder);
+    public WebTarget target(UriBuilder uriBuilder);
 
-    // public WebTarget target(Link link);
+    public WebTarget target(Link link);
 
     // public Invocation.Builder invocation(Link link);
 
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/ClientBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/ClientBuilder.java
@@ -0,0 +1,19 @@
+package jakarta.ws.rs.client;
+
+public abstract class ClientBuilder implements jakarta.ws.rs.core.Configurable {
+
+    protected ClientBuilder() {
+    }
+
+    public static jakarta.ws.rs.client.ClientBuilder newBuilder() {
+        return null;
+    }
+
+    public static jakarta.ws.rs.client.Client newClient() {
+        return null;
+    }
+
+    public static jakarta.ws.rs.client.Client newClient(jakarta.ws.rs.core.Configuration configuration) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/WebTarget.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/WebTarget.java
@@ -0,0 +1,4 @@
+package jakarta.ws.rs.client;
+
+public abstract interface WebTarget extends jakarta.ws.rs.core.Configurable {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configuration.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configuration.java
@@ -0,0 +1,3 @@
+package jakarta.ws.rs.core;
+
+public abstract interface Configuration {}

Original file line number	Diff line number	Diff line change
`@@ -789,6 +789,10 @@ private class UriBuilderModel extends SummaryModelCsv {`
`789`	`789`
`790`	`790`	`private class JaxRsUrlOpenSink extends SinkModelCsv {`
`791`	`791`	`override predicate row(string row) {`
`792`		`- row = ["javax.ws.rs.client;Client;true;target;;;Argument[0];open-url"]`
	`792`	`+ row =`
	`793`	`+ [`
	`794`	`+ "javax.ws.rs.client;Client;true;target;;;Argument[0];open-url",`
	`795`	`+ "jakarta.ws.rs.client;Client;true;target;;;Argument[0];open-url"`
	`796`	`+ ]`
`793`	`797`	`}`
`794`	`798`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/`
	`1`	`+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +package jakarta.ws.rs.client;
++
 +public abstract interface WebTarget extends jakarta.ws.rs.core.Configurable {
 +}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package jakarta.ws.rs.core;`
	`2`	`+`
	`3`	`+public abstract interface Configuration {}`