include suggestions from review.

Porcupiney Hairs · Porcupiney Hairs · commit 2525cfd786b9 · 2020-11-13T00:28:06.000+05:30
diff --git a/java/ql/src/experimental/CWE-918/RequestForgery.qll b/java/ql/src/experimental/CWE-918/RequestForgery.qll
@@ -1,7 +1,5 @@
 import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.javase.URI
-import semmle.code.java.frameworks.javase.URL
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
 
diff --git a/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll b/java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll
@@ -2,8 +2,8 @@
 
 import java
 import semmle.code.java.frameworks.Networking
-import semmle.code.java.frameworks.javase.URI
-import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.ApacheHttp
+import semmle.code.java.frameworks.spring.Spring
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
@@ -34,8 +34,8 @@ module RequestForgery {
    */
   private class ApacheSetUri extends Sink {
     ApacheSetUri() {
-      exists(MethodAccess ma |
-        ma.getReceiverType() instanceof TypeApacheHttpRequest and
+      exists(MethodAccess ma, TypeApacheHttpRequestBase t |
+        ma.getReceiverType().extendsOrImplements(t) and
         ma.getMethod().hasName("setURI")
       |
         this.asExpr() = ma.getArgument(0)
@@ -49,7 +49,9 @@ module RequestForgery {
    */
   private class ApacheHttpRequestInstantiation extends Sink {
     ApacheHttpRequestInstantiation() {
-      exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest |
+      exists(ClassInstanceExpr c, TypeApacheHttpRequestBase t |
+        c.getConstructedType().extendsOrImplements(t)
+      |
         this.asExpr() = c.getArgument(0)
       )
     }
@@ -115,8 +117,7 @@ module RequestForgery {
    */
   private class JaxRsClientTarget extends Sink {
     JaxRsClientTarget() {
-      exists(MethodAccess ma, JaxRsClient t |
-        // ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and
+      exists(MethodAccess ma |
         ma.getMethod().getDeclaringType() instanceof JaxRsClient and
         ma.getMethod().hasName("target")
       |
@@ -131,7 +132,12 @@ module RequestForgery {
    */
   private class RequestEntityUriArg extends Sink {
     RequestEntityUriArg() {
-      exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr())
+      exists(ClassInstanceExpr e, Argument a |
+        e.getConstructedType() instanceof SpringRequestEntity and
+        e.getAnArgument() = a and
+        a.getType() instanceof TypeUri and
+        this.asExpr() = a
+      )
     }
   }
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -27,15 +27,6 @@ class TypeApacheHttpRequestBase extends RefType {
   }
 }
 
-/*
- * Any class which can be used to make an HTTP request using the Apache Http Client library
- * Examples include `HttpGet`,`HttpPost` etc.
- */
-
-class TypeApacheHttpRequest extends Class {
-  TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) }
-}
-
 /* A class representing the `RequestBuilder` class of the Apache Http Client library */
 class TypeApacheHttpRequestBuilder extends Class {
   TypeApacheHttpRequestBuilder() {
diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -171,7 +171,7 @@ class JaxRsResponseBuilder extends Class {
 }
 
 /**
- * The class `javax.ws.rs.client.Client`
+ * The class `javax.ws.rs.client.Client`.
  */
 class JaxRsClient extends RefType {
   JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
diff --git a/java/ql/src/semmle/code/java/frameworks/Networking.qll b/java/ql/src/semmle/code/java/frameworks/Networking.qll
@@ -4,6 +4,7 @@
 
 import semmle.code.java.Type
 
+// import semmle.code.java.dataflow.FlowSources
 /** The type `java.net.URLConnection`. */
 class TypeUrlConnection extends RefType {
   TypeUrlConnection() { hasQualifiedName("java.net", "URLConnection") }
@@ -41,3 +42,88 @@ class SocketGetInputStreamMethod extends Method {
     hasNoParameters()
   }
 }
+
+/** Any expresion or call which returns a new URI. */
+abstract class UriCreation extends Top {
+  /**
+   * Returns the host of the newly created URI.
+   *  In the case where the host is specified separately, this returns only the host.
+   *  In the case where the uri is parsed from an input string,
+   *  such as in `URI(`http://foo.com/mypath')`,
+   *  this returns the entire argument passed i.e. `http://foo.com/mypath'.
+   */
+  abstract Expr hostArg();
+}
+
+/** An URI constructor expression */
+class UriConstructor extends ClassInstanceExpr, UriCreation {
+  UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
+
+  override Expr hostArg() {
+    // URI​(String str)
+    result = this.getArgument(0) and this.getNumArgument() = 1
+    or
+    // URI(String scheme, String ssp, String fragment)
+    // URI​(String scheme, String host, String path, String fragment)
+    // URI​(String scheme, String authority, String path, String query, String fragment)
+    result = this.getArgument(1) and this.getNumArgument() = [3, 4, 5]
+    or
+    // URI​(String scheme, String userInfo, String host, int port, String path, String query,
+    //    String fragment)
+    result = this.getArgument(2) and this.getNumArgument() = 7
+  }
+}
+
+class UriCreate extends Call, UriCreation {
+  UriCreate() {
+    this.getCallee().getName() = "create" and
+    this.getCallee().getDeclaringType() instanceof TypeUri
+  }
+
+  override Expr hostArg() { result = this.getArgument(0) }
+}
+
+/* An URL constructor expression */
+class UrlConstructor extends ClassInstanceExpr {
+  UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
+
+  Expr hostArg() {
+    // URL(String spec)
+    this.getNumArgument() = 1 and result = this.getArgument(0)
+    or
+    // URL(String protocol, String host, int port, String file)
+    // URL(String protocol, String host, int port, String file, URLStreamHandler handler)
+    this.getNumArgument() = [4, 5] and result = this.getArgument(1)
+    or
+    // URL(String protocol, String host, String file)
+    // but not
+    // URL(URL context, String spec, URLStreamHandler handler)
+    (
+      this.getNumArgument() = 3 and
+      this.getConstructor().getParameter(2).getType() instanceof TypeString
+    ) and
+    result = this.getArgument(1)
+  }
+
+  Expr protocolArg() {
+    // In all cases except where the first parameter is a URL, the argument
+    // containing the protocol is the first one, otherwise it is the second.
+    if this.getConstructor().getParameter(0).getType().getName() = "URL"
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+}
+
+class UrlOpenStreamMethod extends Method {
+  UrlOpenStreamMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openStream"
+  }
+}
+
+class UrlOpenConnectionMethod extends Method {
+  UrlOpenConnectionMethod() {
+    this.getDeclaringType() instanceof TypeUrl and
+    this.getName() = "openConnection"
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/javase/Http.qll b/java/ql/src/semmle/code/java/frameworks/javase/Http.qll
@@ -1,7 +1,10 @@
+/**
+ * Provides classes for identifying methods called by the Java net Http package.
+ */
+
 import java
-import semmle.code.java.dataflow.FlowSources
 
-/** A class representing `HttpRequest.Builder`. */
+/** The interface representing `HttpRequest.Builder`. */
 class TypeHttpRequestBuilder extends Interface {
   TypeHttpRequestBuilder() { hasQualifiedName("java.net.http", "HttpRequest$Builder") }
 }
@@ -11,7 +14,7 @@ class TypeHttpRequest extends Interface {
   TypeHttpRequest() { hasQualifiedName("java.net.http", "HttpRequest") }
 }
 
-/** A class representing `java.net.http.HttpRequest$Builder`'s `uri` method. */
+/** The `uri` method on `java.net.http.HttpRequest.Builder`. */
 class HttpBuilderUri extends Method {
   HttpBuilderUri() {
     this.getDeclaringType() instanceof TypeHttpRequestBuilder and
diff --git a/java/ql/src/semmle/code/java/frameworks/javase/URI.qll b/java/ql/src/semmle/code/java/frameworks/javase/URI.qll
diff --git a/java/ql/src/semmle/code/java/frameworks/javase/URL.qll b/java/ql/src/semmle/code/java/frameworks/javase/URL.qll
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -39,17 +39,3 @@ class SpringResponseEntityBodyBuilder extends Interface {
 class SpringHttpHeaders extends Class {
   SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") }
 }
-
-/** Models `org.springframework.http.RequestEntity`s instantiation expressions. */
-class SpringRequestEntityInstanceExpr extends ClassInstanceExpr {
-  int numArgs;
-
-  SpringRequestEntityInstanceExpr() {
-    this.getConstructedType() instanceof SpringRequestEntity and
-    numArgs = this.getNumArgument()
-  }
-
-  Argument getUriArg() {
-    exists(Argument a | this.getAnArgument() = a and a.getType() instanceof TypeUri | result = a)
-  }
-}
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
@@ -33,7 +33,10 @@ class SpringWebClient extends Interface {
  * which take an URL as an argument.
  */
 abstract class SpringRestTemplateUrlMethods extends Method {
-  /** Gets the argument which corresponds to a URL */
+  /**
+   * Gets the argument which corresponds to a URL argument
+   * passed as a `java.net.URL` object or as a string or the like
+   */
   abstract Argument getUrlArgument(MethodAccess ma);
 }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java
@@ -1,11 +1,25 @@
 import javax.ws.rs.client.*;
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
 
-public class JaxWsSSRF {
-    public static void main(String[] args) {
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JaxWsSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
         Client client = ClientBuilder.newClient();
-        String url = args[1];
+        String url = request.getParameter("url");
         client.target(url);
     }
-}
-
 
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ class JaxRsResponseBuilder extends Class {`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	`/**`
`174`		- * The class `javax.ws.rs.client.Client`
	`174`	+ * The class `javax.ws.rs.client.Client`.
`175`	`175`	`*/`
`176`	`176`	`class JaxRsClient extends RefType {`
`177`	`177`	`JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }`