Add missing tests, add additional models revealed missing in the process, and add stubs to support them all.

Author: smowton

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -118,7 +118,9 @@ private class ApacheHttpOpenUrlSink extends SinkModelCsv {
         "org.apache.http.client.methods;RequestBuilder;false;put;;;Argument[0];open-url",
         "org.apache.http.client.methods;RequestBuilder;false;options;;;Argument[0];open-url",
         "org.apache.http.client.methods;RequestBuilder;false;head;;;Argument[0];open-url",
-        "org.apache.http.client.methods;RequestBuilder;false;delete;;;Argument[0];open-url"
+        "org.apache.http.client.methods;RequestBuilder;false;delete;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;trace;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;patch;;;Argument[0];open-url"
       ]
   }
 }

java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll

@@ -33,16 +33,19 @@ private class UrlOpenSink extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
+        "org.springframework.web.client;RestTemplate;false;delete;;;Argument[0];open-url",
         "org.springframework.web.client;RestTemplate;false;doExecute;;;Argument[0];open-url",
-        "org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];open-url",
-        "org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];open-url",
-        "org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];open-url",
-        "org.springframework.web.client;RestTemplate;false;put;;;Argument[0];open-url",
         "org.springframework.web.client;RestTemplate;false;exchange;;;Argument[0];open-url",
         "org.springframework.web.client;RestTemplate;false;execute;;;Argument[0];open-url",
         "org.springframework.web.client;RestTemplate;false;getForEntity;;;Argument[0];open-url",
         "org.springframework.web.client;RestTemplate;false;getForObject;;;Argument[0];open-url",
-        "org.springframework.web.client;RestTemplate;false;patchForObject;;;Argument[0];open-url"
+        "org.springframework.web.client;RestTemplate;false;headForHeaders;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;optionsForAllow;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;patchForObject;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;put;;;Argument[0];open-url"
       ]
   }
 }

java/ql/test/query-tests/security/CWE-918/RequestForgery2.java

@@ -7,6 +7,17 @@
 import java.io.InputStream;
 
 import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpOptions;
+import org.apache.http.client.methods.HttpTrace;
+import org.apache.http.client.methods.HttpPatch;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.message.BasicHttpEntityEnclosingRequest;
+import org.apache.http.message.BasicRequestLine;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -67,6 +78,33 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             HttpGet httpGet = new HttpGet(uri);
             HttpGet httpGet2 = new HttpGet();
             httpGet2.setURI(uri2);
+
+            new HttpHead(uri);
+            new HttpPost(uri);
+            new HttpPut(uri);
+            new HttpDelete(uri);
+            new HttpOptions(uri);
+            new HttpTrace(uri);
+            new HttpPatch(uri);
+
+            new BasicHttpRequest(new BasicRequestLine("GET", uri2.toString(), null));
+            new BasicHttpRequest("GET", uri2.toString());
+            new BasicHttpRequest("GET", uri2.toString(), null);
+
+            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri2.toString(), null));
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString());
+            new BasicHttpEntityEnclosingRequest("GET", uri2.toString(), null);
+
+            RequestBuilder.get(uri2);
+            RequestBuilder.post(uri2);
+            RequestBuilder.put(uri2);
+            RequestBuilder.delete(uri2);
+            RequestBuilder.options(uri2);
+            RequestBuilder.head(uri2);
+            RequestBuilder.trace(uri2);
+            RequestBuilder.patch(uri2);
+            RequestBuilder.get("").setUri(uri2);
+
         } catch (Exception e) {
             // TODO: handle exception
         }

java/ql/test/query-tests/security/CWE-918/SpringSSRF.java

@@ -1,3 +1,4 @@
+import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
@@ -41,14 +42,22 @@ protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
                     restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
         }
         {
-            ResponseEntity<String> response =
-                    restTemplate.getForEntity(fooResourceUrl, String.class, "test");
+            String response =
+                    restTemplate.getForObject(fooResourceUrl, String.class, "test");
         }
         {
             String body = new String("body");
+            URI uri = new URI(fooResourceUrl);
             RequestEntity<String> requestEntity =
-                    RequestEntity.post(new URI(fooResourceUrl)).body(body);
+                    RequestEntity.post(uri).body(body);
             ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
+            RequestEntity.get(uri);
+            RequestEntity.put(uri);
+            RequestEntity.delete(uri);
+            RequestEntity.options(uri);
+            RequestEntity.patch(uri);
+            RequestEntity.head(uri);
+            RequestEntity.method(null, uri);
         }
         {
             String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
@@ -68,6 +77,23 @@ protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
         {
             restTemplate.put(fooResourceUrl, new String("object"));
         }
+        {
+            URI uri = new URI(fooResourceUrl);
+            MultiValueMap<String, String> headers = null;
+            java.lang.reflect.Type type = null;
+            new RequestEntity<String>(null, uri);
+            new RequestEntity<String>(headers, null, uri);
+            new RequestEntity<String>("body", null, uri);
+            new RequestEntity<String>("body", headers, null, uri);
+            new RequestEntity<String>("body", null, uri, type);
+            new RequestEntity<String>("body", headers, null, uri, type);
+        }
+        {
+            URI uri = new URI(fooResourceUrl);
+            restTemplate.delete(uri);
+            restTemplate.headForHeaders(uri);
+            restTemplate.optionsForAllow(uri);
+        }
         } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
     }
 }

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/Contract.java

@@ -0,0 +1,45 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * This annotation defines behavioral contract enforced at runtime by instances of annotated classes.
+ */
+@Documented
+@Target(ElementType.TYPE)
+@Retention(RetentionPolicy.CLASS)
+public @interface Contract {
+
+    ThreadingBehavior threading() default ThreadingBehavior.UNSAFE;
+
+}