Convert request forgery tests to inline expectations; add missing models revealed by this process.

Author: smowton

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -252,6 +252,8 @@ private predicate summaryModelCsv(string row) {
       "javax.xml.transform.stream;StreamSource;false;getInputStream;;;Argument[-1];ReturnValue;taint",
       "java.nio;ByteBuffer;false;get;;;Argument[-1];ReturnValue;taint",
       "java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint",
+      "java.net;URI;false;toString;;;Argument[-1];ReturnValue;taint",
+      "java.net;URI;false;toAsciiString;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
       "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -261,7 +261,10 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint",
-        "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint"
+        "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.message;BasicRequestLine;false;BasicRequestLine;;;Argument[1];Argument[-1];taint",
+        "org.apache.http;RequestLine;true;getUri;;;Argument[-1];ReturnValue;taint",
+        "org.apache.http;RequestLine;true;toString;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }

java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll

@@ -53,11 +53,11 @@ private class UrlOpenSink extends SinkModelCsv {
         "org.springframework.http;RequestEntity;false;put;;;Argument[0];open-url",
         "org.springframework.http;RequestEntity;false;method;;;Argument[1];open-url",
         "org.springframework.http;RequestEntity;false;RequestEntity;(HttpMethod,URI);;Argument[1];open-url",
-        "org.springframework.http;RequestEntity;false;RequestEntity;(MultiValueMap,HttpMethod,URI);;Argument[2];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(MultiValueMap<String,String>,HttpMethod,URI);;Argument[2];open-url",
         "org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI);;Argument[2];open-url",
         "org.springframework.http;RequestEntity;false;RequestEntity;(T,HttpMethod,URI,Type);;Argument[2];open-url",
-        "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap,HttpMethod,URI);;Argument[3];open-url",
-        "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap,HttpMethod,URI,Type);;Argument[3];open-url"
+        "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap<String,String>,HttpMethod,URI);;Argument[3];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(T,MultiValueMap<String,String>,HttpMethod,URI,Type);;Argument[3];open-url"
       ]
   }
 }

java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java

@@ -19,7 +19,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
         Client client = ClientBuilder.newClient();
         String url = request.getParameter("url");
-        client.target(url);
+        client.target(url); // $ SSRF
     }
 
 }

java/ql/test/query-tests/security/CWE-918/RequestForgery.expected

@@ -19,7 +19,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             URI uri = new URI(request.getParameter("uri"));
             // BAD: a request parameter is incorporated without validation into a Http
             // request
-            HttpRequest r = HttpRequest.newBuilder(uri).build();
+            HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
             client.send(r, null);
 
             // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
@@ -73,47 +73,47 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             // BAD: cases where a string that would sanitise is used, but occurs in the wrong
             // place to sanitise user input:
             String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
-            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();
+            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();  // $ SSRF
             client.send(unsafer3, null);
 
             String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
-            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build();
+            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
             client.send(unsafer4, null);
 
             StringBuilder unsafeUri5 = new StringBuilder();
             unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
-            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build();
+            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
             client.send(unsafer5, null);
 
             StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
             unafeUri5a.append("https://example.com/");
-            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build();
+            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
             client.send(unsafer5a, null);
 
             StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
             unsafeUri5b.append("https://example.com/");
-            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build();
+            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
             client.send(unsafer5b, null);
 
             StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
             unsafeUri5c.append("://example.com/dir/");
-            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build();
+            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
             client.send(unsafer5c, null);
 
             String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
-            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build();
+            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
             client.send(unsafer6, null);
 
             String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
-            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build();
+            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
             client.send(unsafer7, null);
 
             String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
-            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build();
+            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
             client.send(unsafer8, null);
 
             String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
-            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build();
+            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
             client.send(unsafer9, null);
 
         } catch (Exception e) {

java/ql/test/query-tests/security/CWE-918/RequestForgery.java

@@ -63,47 +63,47 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             // URL(URL context, String spec, URLStreamHandler handler)
             URL url6 = new URL(url3, "spec", new Helper2());
 
-            URLConnection c1 = url1.openConnection();
+            URLConnection c1 = url1.openConnection(); // $ SSRF
             SocketAddress sa = new SocketAddress() {
             };
-            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
-            InputStream c3 = url1.openStream();
+            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
+            InputStream c3 = url1.openStream(); // $ SSRF
 
             // java.net.http
             HttpClient client = HttpClient.newHttpClient();
-            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
-            HttpRequest request3 = HttpRequest.newBuilder(uri).build();
+            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
+            HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
 
             // Apache HTTPlib
-            HttpGet httpGet = new HttpGet(uri);
+            HttpGet httpGet = new HttpGet(uri); // $ SSRF
             HttpGet httpGet2 = new HttpGet();
-            httpGet2.setURI(uri2);
-
-            new HttpHead(uri);
-            new HttpPost(uri);
-            new HttpPut(uri);
-            new HttpDelete(uri);
-            new HttpOptions(uri);
-            new HttpTrace(uri);
-            new HttpPatch(uri);
-
-            new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null));
-            new BasicHttpRequest("GET", uri2.toString());
-            new BasicHttpRequest("GET", uri2.toString(), null);
-
-            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null));
-            new BasicHttpEntityEnclosingRequest("GET", uri2.toString());
-            new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null);
-
-            RequestBuilder.get(uri2);
-            RequestBuilder.post(uri2);
-            RequestBuilder.put(uri2);
-            RequestBuilder.delete(uri2);
-            RequestBuilder.options(uri2);
-            RequestBuilder.head(uri2);
-            RequestBuilder.trace(uri2);
-            RequestBuilder.patch(uri2);
-            RequestBuilder.get("").setUri(uri2);
+            httpGet2.setURI(uri2); // $ SSRF
+
+            new HttpHead(uri); // $ SSRF
+            new HttpPost(uri); // $ SSRF
+            new HttpPut(uri); // $ SSRF
+            new HttpDelete(uri); // $ SSRF
+            new HttpOptions(uri); // $ SSRF
+            new HttpTrace(uri); // $ SSRF
+            new HttpPatch(uri); // $ SSRF
+
+            new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
+            new BasicHttpRequest("GET", uri2.toString()); // $ SSRF
+            new BasicHttpRequest("GET", uri2.toString(), null); // $ SSRF
+
+            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null)); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString()); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null); // $ SSRF
+
+            RequestBuilder.get(uri2); // $ SSRF
+            RequestBuilder.post(uri2); // $ SSRF
+            RequestBuilder.put(uri2); // $ SSRF
+            RequestBuilder.delete(uri2); // $ SSRF
+            RequestBuilder.options(uri2); // $ SSRF
+            RequestBuilder.head(uri2); // $ SSRF
+            RequestBuilder.trace(uri2); // $ SSRF
+            RequestBuilder.patch(uri2); // $ SSRF
+            RequestBuilder.get("").setUri(uri2); // $ SSRF
 
         } catch (Exception e) {
             // TODO: handle exception

java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref

@@ -30,69 +30,69 @@ protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
         try {
         {
             ResponseEntity<String> response =
-                    restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
+                    restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ SSRF
         }
 
         {
             ResponseEntity<String> response =
-                    restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class);
+                    restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF
         }
         {
             ResponseEntity<String> response =
-                    restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
+                    restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF
         }
         {
             String response =
-                    restTemplate.getForObject(fooResourceUrl, String.class, "test");
+                    restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF
         }
         {
             String body = new String("body");
             URI uri = new URI(fooResourceUrl);
             RequestEntity<String> requestEntity =
-                    RequestEntity.post(uri).body(body);
+                    RequestEntity.post(uri).body(body); // $ SSRF
             ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
-            RequestEntity.get(uri);
-            RequestEntity.put(uri);
-            RequestEntity.delete(uri);
-            RequestEntity.options(uri);
-            RequestEntity.patch(uri);
-            RequestEntity.head(uri);
-            RequestEntity.method(null, uri);
+            RequestEntity.get(uri); // $ SSRF
+            RequestEntity.put(uri); // $ SSRF
+            RequestEntity.delete(uri); // $ SSRF
+            RequestEntity.options(uri); // $ SSRF
+            RequestEntity.patch(uri); // $ SSRF
+            RequestEntity.head(uri); // $ SSRF
+            RequestEntity.method(null, uri); // $ SSRF
         }
         {
-            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
+            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"), // $ SSRF
                     String.class, "hi");
         }
         {
-            ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl),
+            ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl), // $ SSRF
                     new String("object"), String.class);
         }
         {
-            URI response = restTemplate.postForLocation(fooResourceUrl, new String("object"));
+            URI response = restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF
         }
         {
             String response =
-                    restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
+                    restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ SSRF
         }
         {
-            restTemplate.put(fooResourceUrl, new String("object"));
+            restTemplate.put(fooResourceUrl, new String("object")); // $ SSRF
         }
         {
             URI uri = new URI(fooResourceUrl);
             MultiValueMap<String, String> headers = null;
             java.lang.reflect.Type type = null;
-            new RequestEntity<String>(null, uri);
-            new RequestEntity<String>(headers, null, uri);
-            new RequestEntity<String>("body", null, uri);
-            new RequestEntity<String>("body", headers, null, uri);
-            new RequestEntity<String>("body", null, uri, type);
-            new RequestEntity<String>("body", headers, null, uri, type);
+            new RequestEntity<String>(null, uri); // $ SSRF
+            new RequestEntity<String>(headers, null, uri); // $ SSRF
+            new RequestEntity<String>("body", null, uri); // $ SSRF
+            new RequestEntity<String>("body", headers, null, uri); // $ SSRF
+            new RequestEntity<String>("body", null, uri, type); // $ SSRF
+            new RequestEntity<String>("body", headers, null, uri, type); // $ SSRF
         }
         {
             URI uri = new URI(fooResourceUrl);
-            restTemplate.delete(uri);
-            restTemplate.headForHeaders(uri);
-            restTemplate.optionsForAllow(uri);
+            restTemplate.delete(uri); // $ SSRF
+            restTemplate.headForHeaders(uri); // $ SSRF
+            restTemplate.optionsForAllow(uri); // $ SSRF
         }
         } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
     }

java/ql/test/query-tests/security/CWE-918/RequestForgery2.java

@@ -43,7 +43,7 @@
  * @author <a href="mailto:oleg at ural.ru">Oleg Kalnichevski</a>
  *
  * @version $Revision: 618017 $
- * 
+ *
  * @since 4.0
  *
  * @deprecated Please use {@link java.net.URL#openConnection} instead. Please
@@ -54,15 +54,15 @@
 @Deprecated
 public class BasicHttpEntityEnclosingRequest extends BasicHttpRequest implements HttpEntityEnclosingRequest {
     public BasicHttpEntityEnclosingRequest(final String method, final String uri) {
-        super(method, uri);
+        super(null);
     }
 
     public BasicHttpEntityEnclosingRequest(final String method, final String uri, final ProtocolVersion ver) {
-        super(method, uri, ver);
+        super(null);
     }
 
     public BasicHttpEntityEnclosingRequest(final RequestLine requestline) {
-        super(requestline);
+        super(null);
     }
 
     public HttpEntity getEntity() {