Split and rename JavaNetHttp and ApacheHttp tests for consistency

Author: smowton

java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java

@@ -0,0 +1,64 @@
+import java.io.IOException;
+import java.net.URI;
+
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpOptions;
+import org.apache.http.client.methods.HttpTrace;
+import org.apache.http.client.methods.HttpPatch;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.message.BasicHttpEntityEnclosingRequest;
+import org.apache.http.message.BasicRequestLine;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ApacheHttpSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            URI uri = new URI(sink);
+
+            HttpGet httpGet = new HttpGet(uri); // $ SSRF
+            HttpGet httpGet2 = new HttpGet();
+            httpGet2.setURI(uri); // $ SSRF
+
+            new HttpHead(uri); // $ SSRF
+            new HttpPost(uri); // $ SSRF
+            new HttpPut(uri); // $ SSRF
+            new HttpDelete(uri); // $ SSRF
+            new HttpOptions(uri); // $ SSRF
+            new HttpTrace(uri); // $ SSRF
+            new HttpPatch(uri); // $ SSRF
+
+            new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
+            new BasicHttpRequest("GET", uri.toString()); // $ SSRF
+            new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF
+
+            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF
+
+            RequestBuilder.get(uri); // $ SSRF
+            RequestBuilder.post(uri); // $ SSRF
+            RequestBuilder.put(uri); // $ SSRF
+            RequestBuilder.delete(uri); // $ SSRF
+            RequestBuilder.options(uri); // $ SSRF
+            RequestBuilder.head(uri); // $ SSRF
+            RequestBuilder.trace(uri); // $ SSRF
+            RequestBuilder.patch(uri); // $ SSRF
+            RequestBuilder.get("").setUri(uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java

@@ -0,0 +1,45 @@
+import java.io.IOException;
+import java.net.Proxy;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JavaNetHttpSSRF extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            URI uri = new URI(sink);
+            URI uri2 = new URI("http", sink, "fragement");
+            URL url1 = new URL(sink);
+
+            URLConnection c1 = url1.openConnection(); // $ SSRF
+            SocketAddress sa = new SocketAddress() {
+            };
+            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
+            InputStream c3 = url1.openStream(); // $ SSRF
+
+            // java.net.http
+            HttpClient client = HttpClient.newHttpClient();
+            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
+            HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}