Factor request-forgery config so it can be used in an inline-expectations test

Author: smowton

java/ql/src/Security/CWE/CWE-918/RequestForgery.ql

@@ -11,30 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.RequestForgery
+import semmle.code.java.security.RequestForgeryConfig
 import DataFlow::PathGraph
 
-class RequestForgeryConfiguration extends TaintTracking::Configuration {
-  RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    // Exclude results of remote HTTP requests: fetching something else based on that result
-    // is no worse than following a redirect returned by the remote server, and typically
-    // we're requesting a resource via https which we trust to only send us to safe URLs.
-    not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Potential server-side request forgery due to $@.",

java/ql/src/semmle/code/java/security/RequestForgeryConfig.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration characterising request-forgery risks.
+ */
+
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.RequestForgery
+
+/**
+ * A taint-tracking configuration characterising request-forgery risks.
+ */
+class RequestForgeryConfiguration extends TaintTracking::Configuration {
+  RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    // Exclude results of remote HTTP requests: fetching something else based on that result
+    // is no worse than following a redirect returned by the remote server, and typically
+    // we're requesting a resource via https which we trust to only send us to safe URLs.
+    not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
+}

java/ql/test/query-tests/security/CWE-918/RequestForgery.ql

@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.RequestForgeryConfig
+import TestUtilities.InlineExpectationsTest
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "SSRF" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "SSRF" and
+    exists(RequestForgeryConfiguration conf, DataFlow::Node sink | conf.hasFlowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}