diff --git a/java/ql/lib/ext/org.apache.http.client.model.yml b/java/ql/lib/ext/org.apache.http.client.model.yml index 681efdf32e7c..caba9bd718b2 100644 --- a/java/ql/lib/ext/org.apache.http.client.model.yml +++ b/java/ql/lib/ext/org.apache.http.client.model.yml @@ -3,6 +3,11 @@ extensions: pack: codeql/java-all extensible: sinkModel data: + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"] - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"] - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"] - - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"] diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java new file mode 100644 index 000000000000..05d38b2b5dd1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java @@ -0,0 +1,43 @@ +import java.io.IOException; + +import org.apache.http.HttpHost; +import org.apache.http.HttpRequest; +import org.apache.http.client.HttpClient; +import org.apache.http.client.ResponseHandler; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.message.BasicHttpRequest; +import org.apache.http.protocol.HttpContext; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public class ApacheHttpClientExecuteSSRF extends HttpServlet { + + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + try { + + String sink = request.getParameter("host"); // $ Source + + HttpHost host = new HttpHost(sink); + HttpRequest req = new BasicHttpRequest("GET", "/"); + HttpUriRequest uriReq = (HttpUriRequest) (Object) sink; + HttpContext context = null; + HttpClient client = null; + ResponseHandler handler = null; + + client.execute(host, req); // $ Alert + client.execute(host, req, context); // $ Alert + client.execute(host, req, handler); // $ Alert + client.execute(host, req, handler, context); // $ Alert + client.execute(uriReq); // $ Alert + client.execute(uriReq, context); // $ Alert + client.execute(uriReq, handler); // $ Alert + client.execute(uriReq, handler, context); // $ Alert + + } catch (Exception e) { + // TODO: handle exception + } + } +} diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options index 6b6efaeca544..a5b2bf58d434 100644 --- a/java/ql/test/query-tests/security/CWE-918/options +++ b/java/ql/test/query-tests/security/CWE-918/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf +//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/apache-http-client-4.4.13:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf diff --git a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java new file mode 100644 index 000000000000..3cd8e33ab5c5 --- /dev/null +++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java @@ -0,0 +1,23 @@ +// Generated automatically from org.apache.http.client.HttpClient for testing purposes + +package org.apache.http.client; + +import java.io.IOException; +import org.apache.http.HttpHost; +import org.apache.http.HttpRequest; +import org.apache.http.HttpResponse; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.protocol.HttpContext; + +public interface HttpClient { + HttpResponse execute(HttpHost target, HttpRequest request) throws IOException; + HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException; + T execute(HttpHost target, HttpRequest request, ResponseHandler responseHandler) throws IOException; + T execute(HttpHost target, HttpRequest request, ResponseHandler responseHandler, HttpContext context) + throws IOException; + HttpResponse execute(HttpUriRequest request) throws IOException; + HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException; + T execute(HttpUriRequest request, ResponseHandler responseHandler) throws IOException; + T execute(HttpUriRequest request, ResponseHandler responseHandler, HttpContext context) + throws IOException; +} diff --git a/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java new file mode 100644 index 000000000000..0733cae3baf8 --- /dev/null +++ b/java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java @@ -0,0 +1,9 @@ +// Generated automatically from org.apache.http.client.ResponseHandler for testing purposes + +package org.apache.http.client; + +import org.apache.http.HttpResponse; + +public interface ResponseHandler { + T handleResponse(HttpResponse response); +}