add request forgery query

Author: Porcupiney Hairs

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -11,6 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.javase.URL
 import DataFlow::PathGraph
 
 class HTTPString extends StringLiteral {
@@ -29,18 +30,6 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLConstructor extends ClassInstanceExpr {
-  URLConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
-
-  Expr protocolArg() {
-    // In all cases except where the first parameter is a URL, the argument
-    // containing the protocol is the first one, otherwise it is the second.
-    if this.getConstructor().getParameter(0).getType().getName() = "URL"
-    then result = this.getArgument(1)
-    else result = this.getArgument(0)
-  }
-}
-
 class URLOpenMethod extends Method {
   URLOpenMethod() {
     this.getDeclaringType().getQualifiedName() = "java.net.URL" and

java/ql/src/experimental/CWE-918/RequestForgery.java

@@ -0,0 +1,20 @@
+import java.net.http.HttpClient;
+
+public class SSRF extends HttpServlet {
+	private static final String VALID_URI = "http://lgtm.com";
+	private HttpClient client = HttpClient.newHttpClient();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+		throws ServletException, IOException {
+		URI uri = new URI(request.getParameter("uri"));
+		// BAD: a request parameter is incorporated without validation into a Http request
+		HttpRequest r = HttpRequest.newBuilder(uri).build();
+		client.send(r, null);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_URI.equals(request.getParameter("uri"))) {
+			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+			client.send(r2, null);
+		}
+	}
+}

java/ql/src/experimental/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into a HTTP request without validating the input
+can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server. 
+</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against SSRF attacks, it is advisable to avoid putting user input
+directly into the request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the user input provided.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="RequestForgery.java" />
+
+</example>
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+
+</references>
+</qhelp>

java/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Server Sider Request Forgery (SSRF) from remote source
+ * @description Making web requests based on unvalidated user-input
+ *              may cause server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import RequestForgery::RequestForgery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryRemoteConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server side request forgery due to $@.",
+  source.getNode(), "a user-provided value"

java/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -0,0 +1,57 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.javase.URI
+import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+
+module RequestForgery {
+  import RequestForgeryCustomizations::RequestForgery
+
+  /**
+   * A taint-tracking configuration for reasoning about request forgery.
+   */
+  class RequestForgeryRemoteConfiguration extends TaintTracking::Configuration {
+    RequestForgeryRemoteConfiguration() { this = "Server Side Request Forgery" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      additionalStep(pred, succ)
+    }
+  }
+}
+
+predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // propagate to a URI when its host is assigned to
+  exists(UriConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a URL when its host is assigned to
+  exists(UrlConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  or
+  // propagate to a RequestEntity when its url is assigned to
+  exists(MethodAccess m |
+    m.getMethod().getDeclaringType() instanceof SpringRequestEntity and
+    (
+      m.getMethod().hasName(["get", "post", "head", "delete", "options", "patch", "put"]) and
+      m.getArgument(0) = pred.asExpr() and
+      m = succ.asExpr()
+    )
+    or
+    m.getMethod().hasName("method") and
+    m.getArgument(1) = pred.asExpr() and
+    m = succ.asExpr()
+  )
+  or
+  // propagate from a `RequestEntity<>$BodyBuilder` to a `RequestEntity`
+  // when the builder is tainted
+  exists(MethodAccess m, RefType t |
+    m.getMethod().getDeclaringType() = t and
+    t.hasQualifiedName("org.springframework.http", "RequestEntity<>$BodyBuilder") and
+    m.getMethod().hasName("body") and
+    m.getQualifier() = pred.asExpr() and
+    m = succ.asExpr()
+  )
+}

java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll

@@ -0,0 +1,137 @@
+/** A module to reason about request forgery vulnerabilities. */
+
+import java
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.javase.URI
+import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+
+/** A module to reason about request forgery vulnerabilities. */
+module RequestForgery {
+  /** A data flow sink for request forgery vulnerabilities. */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * An argument to an url `openConnection` or `openStream` call
+   *  taken as a sink for request forgery vulnerabilities.
+   */
+  private class UrlOpen extends Sink {
+    UrlOpen() {
+      exists(MethodAccess ma |
+        ma.getMethod() instanceof UrlOpenConnectionMethod or
+        ma.getMethod() instanceof UrlOpenStreamMethod
+      |
+        this.asExpr() = ma.getQualifier()
+      )
+    }
+  }
+
+  /**
+   * An argument to an Apache `setURI` call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheSetUri extends Sink {
+    ApacheSetUri() {
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof TypeApacheHttpRequest and
+        ma.getMethod().hasName("setURI")
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to any Apache Request Instantiation call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheHttpRequestInstantiation extends Sink {
+    ApacheHttpRequestInstantiation() {
+      exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest |
+        this.asExpr() = c.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to a Apache RequestBuilder method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class ApacheHttpRequestBuilderArgument extends Sink {
+    ApacheHttpRequestBuilderArgument() {
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
+        ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to any Java.net.http.request Instantiation call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class HttpRequestNewBuilder extends Sink {
+    HttpRequestNewBuilder() {
+      exists(MethodAccess call |
+        call.getCallee().hasName("newBuilder") and
+        call.getMethod().getDeclaringType().getName() = "HttpRequest"
+      |
+        this.asExpr() = call.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to an Http Builder `uri` call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class HttpBuilderUriArgument extends Sink {
+    HttpBuilderUriArgument() {
+      exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * An argument to a Spring Rest Template method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class SpringRestTemplateArgument extends Sink {
+    SpringRestTemplateArgument() {
+      exists(MethodAccess ma |
+        this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
+      )
+    }
+  }
+
+  /**
+   * An argument to `javax.ws.rs.Client`s `target` method call taken as a
+   *   sink for request forgery vulnerabilities.
+   */
+  private class JaxRsClientTarget extends Sink {
+    JaxRsClientTarget() {
+      exists(MethodAccess ma, JaxRsClient t |
+        // ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and
+        ma.getMethod().getDeclaringType() instanceof JaxRsClient and
+        ma.getMethod().hasName("target")
+      |
+        this.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * A URI argument to `org.springframework.http.RequestEntity`s constructor call
+   *   taken as a sink for request forgery vulnerabilities.
+   */
+  private class RequestEntityUriArg extends Sink {
+    RequestEntityUriArg() {
+      exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr())
+    }
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -10,6 +10,7 @@
 
 import java
 import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
@@ -21,19 +22,6 @@ private string getPrivateHostRegex() {
     "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[?0:0:0:0:0:0:0:1\\]?(?:[:/?#].*)?|\\[?::1\\]?(?:[:/?#].*)?"
 }
 
-/**
- * The Java class `org.apache.http.client.methods.HttpRequestBase`. Popular subclasses include `HttpGet`, `HttpPost`, and `HttpPut`.
- * And the Java class `org.apache.http.message.BasicHttpRequest`.
- */
-class ApacheHttpRequest extends RefType {
-  ApacheHttpRequest() {
-    this
-        .getASourceSupertype*()
-        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
-    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
-  }
-}
-
 /**
  * Class of Java URL constructor.
  */
@@ -167,7 +155,7 @@ class HttpURLOpenMethod extends Method {
 /** Constructor of `ApacheHttpRequest` */
 predicate apacheHttpRequest(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
-    cc.getConstructedType() instanceof ApacheHttpRequest and
+    cc.getConstructedType() instanceof TypeApacheHttpRequestBase and
     node2.asExpr() = cc and
     cc.getAnArgument() = node1.asExpr()
   )

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -13,3 +13,32 @@ class ApacheHttpEntityGetContent extends Method {
     this.getName() = "getContent"
   }
 }
+
+/**
+ *  A class derived from the `HttpRequestBase` or the `BasicHttpRequest`
+ *  class of the Apache Http Client `org.apache.http` library
+ */
+class TypeApacheHttpRequestBase extends RefType {
+  TypeApacheHttpRequestBase() {
+    this
+        .getASourceSupertype*()
+        .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
+    this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
+  }
+}
+
+/*
+ * Any class which can be used to make an HTTP request using the Apache Http Client library
+ * Examples include `HttpGet`,`HttpPost` etc.
+ */
+
+class TypeApacheHttpRequest extends Class {
+  TypeApacheHttpRequest() { exists(TypeApacheHttpRequestBase t | this.extendsOrImplements(t)) }
+}
+
+/* A class representing the `RequestBuilder` class of the Apache Http Client library */
+class TypeApacheHttpRequestBuilder extends Class {
+  TypeApacheHttpRequestBuilder() {
+    hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
+  }
+}

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

@@ -170,6 +170,13 @@ class JaxRsResponseBuilder extends Class {
   JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
 }
 
+/**
+ * The class `javax.ws.rs.client.Client`
+ */
+class JaxRsClient extends RefType {
+  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+}
+
 /**
  * A constructor that may be called by a JaxRS container to construct an instance to inject into a
  * resource method or resource class constructor.