Merge pull request github#2 from aschackmull/java/ssrf-review

Java: Review fixes.

Author: porcupineyhairs

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -52,7 +52,7 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(UrlConstructor u |
+    exists(UrlConstructorCall u |
       node1.asExpr() = u.protocolArg() and
       node2.asExpr() = u
     )

java/ql/src/experimental/CWE-918/RequestForgery.ql

@@ -1,5 +1,5 @@
 /**
- * @name Server Sider Request Forgery (SSRF) from remote source
+ * @name Server Side Request Forgery (SSRF)
  * @description Making web requests based on unvalidated user-input
  *              may cause server to communicate with malicious servers.
  * @kind path-problem
@@ -12,10 +12,22 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import RequestForgery::RequestForgery
+import RequestForgery
 import DataFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryRemoteConfiguration conf
+class RequestForgeryConfiguration extends TaintTracking::Configuration {
+  RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    requestForgeryStep(pred, succ)
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Potential server side request forgery due to $@.",
   source.getNode(), "a user-provided value"

java/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -1,33 +1,17 @@
 import java
-import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
+import semmle.code.java.frameworks.spring.Spring
+import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
 
-module RequestForgery {
-  import RequestForgeryCustomizations::RequestForgery
-
-  /**
-   * A taint-tracking configuration for reasoning about request forgery.
-   */
-  class RequestForgeryRemoteConfiguration extends TaintTracking::Configuration {
-    RequestForgeryRemoteConfiguration() { this = "Server Side Request Forgery" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      additionalStep(pred, succ)
-    }
-  }
-}
-
-predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
+predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
   // propagate to a URI when its host is assigned to
   exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
   or
   // propagate to a URL when its host is assigned to
-  exists(UrlConstructor c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
+  exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
   or
   // propagate to a RequestEntity when its url is assigned to
   exists(MethodAccess m |
@@ -36,11 +20,11 @@ predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
       m.getMethod().hasName(["get", "post", "head", "delete", "options", "patch", "put"]) and
       m.getArgument(0) = pred.asExpr() and
       m = succ.asExpr()
+      or
+      m.getMethod().hasName("method") and
+      m.getArgument(1) = pred.asExpr() and
+      m = succ.asExpr()
     )
-    or
-    m.getMethod().hasName("method") and
-    m.getArgument(1) = pred.asExpr() and
-    m = succ.asExpr()
   )
   or
   // propagate from a `RequestEntity<>$BodyBuilder` to a `RequestEntity`
@@ -53,3 +37,157 @@ predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
     m = succ.asExpr()
   )
 }
+
+/** A data flow sink for request forgery vulnerabilities. */
+abstract class RequestForgerySink extends DataFlow::Node { }
+
+/**
+ * An argument to an url `openConnection` or `openStream` call
+ *  taken as a sink for request forgery vulnerabilities.
+ */
+private class UrlOpen extends RequestForgerySink {
+  UrlOpen() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof UrlOpenConnectionMethod or
+      ma.getMethod() instanceof UrlOpenStreamMethod
+    |
+      this.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/**
+ * An argument to an Apache `setURI` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheSetUri extends RequestForgerySink {
+  ApacheSetUri() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof ApacheHttpRequest and
+      ma.getMethod().hasName("setURI")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Apache Request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestInstantiation extends RequestForgerySink {
+  ApacheHttpRequestInstantiation() {
+    exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
+      this.asExpr() = c.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Apache RequestBuilder method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestBuilderArgument extends RequestForgerySink {
+  ApacheHttpRequestBuilderArgument() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
+      ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Java.net.http.request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpRequestNewBuilder extends RequestForgerySink {
+  HttpRequestNewBuilder() {
+    exists(MethodAccess call |
+      call.getCallee().hasName("newBuilder") and
+      call.getMethod().getDeclaringType().getName() = "HttpRequest"
+    |
+      this.asExpr() = call.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to an Http Builder `uri` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpBuilderUriArgument extends RequestForgerySink {
+  HttpBuilderUriArgument() {
+    exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Spring Rest Template method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class SpringRestTemplateArgument extends RequestForgerySink {
+  SpringRestTemplateArgument() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
+    )
+  }
+}
+
+/**
+ * An argument to `javax.ws.rs.Client`s `target` method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class JaxRsClientTarget extends RequestForgerySink {
+  JaxRsClientTarget() {
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof JaxRsClient and
+      ma.getMethod().hasName("target")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to `org.springframework.http.RequestEntity`s constructor call
+ *   which is an URI taken as a sink for request forgery vulnerabilities.
+ */
+private class RequestEntityUriArg extends RequestForgerySink {
+  RequestEntityUriArg() {
+    exists(ClassInstanceExpr e, Argument a |
+      e.getConstructedType() instanceof SpringRequestEntity and
+      e.getAnArgument() = a and
+      a.getType() instanceof TypeUri and
+      this.asExpr() = a
+    )
+  }
+}
+
+/**
+ * A class representing all Spring Rest Template methods
+ * which take an URL as an argument.
+ */
+private class SpringRestTemplateUrlMethods extends Method {
+  SpringRestTemplateUrlMethods() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this
+        .hasName([
+            "doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
+            "execute", "getForEntity", "getForObject", "patchForObject"
+          ])
+  }
+
+  /**
+   * Gets the argument which corresponds to a URL argument
+   * passed as a `java.net.___URL` object or as a string or the like
+   */
+  Argument getUrlArgument(MethodAccess ma) {
+    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    //  ResponseExtractor<T> responseExtractor)
+    result = ma.getArgument(0)
+  }
+}