Build RequestBuilder more realistically

Author: owen-mc

java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java

@@ -5,6 +5,7 @@
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.ResponseHandler;
 import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.methods.RequestBuilder;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.message.BasicHttpRequest;
 import org.apache.http.protocol.HttpContext;
@@ -23,7 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
             HttpHost host = new HttpHost(source);
             HttpRequest req = new BasicHttpRequest("GET", "/");
-            HttpUriRequest uriReq = (HttpUriRequest) (Object) source;
+            HttpUriRequest uriReq = RequestBuilder.get(source).build(); // $ Alert
             HttpContext context = null;
             HttpClient client = HttpClients.createDefault();
             ResponseHandler<Object> handler = null;

java/ql/test/query-tests/security/CWE-918/RequestForgery.expected

@@ -1,12 +1,13 @@
 #select
-| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
-| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:35:28:35:31 | host | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:35:28:35:31 | host | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
+| ApacheHttpClientExecuteSSRF.java:39:28:39:33 | uriReq | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:39:28:39:33 | uriReq | Potential server-side request forgery due to a $@. | ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:30:43:30:45 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:30:43:30:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:32:29:32:31 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:32:29:32:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
 | ApacheHttpSSRF.java:34:26:34:28 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:34:26:34:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value |
@@ -385,18 +386,20 @@
 | mad/Test.java:107:15:107:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:107:15:107:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
 | mad/Test.java:112:15:112:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:112:15:112:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value |
 edges
-| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | provenance | Src:MaD:285  |
-| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | provenance | Src:MaD:285  |
-| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | provenance | Sink:MaD:228 |
-| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:229 |
-| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:230 |
-| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | provenance | Sink:MaD:231 |
-| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | provenance | MaD:305 |
-| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | provenance | Sink:MaD:232 |
-| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:233 |
-| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:234 |
-| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | provenance | Sink:MaD:235 |
-| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | provenance |  |
+| ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:25:42:25:47 | source : String | provenance | Src:MaD:285  |
+| ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source | provenance | Src:MaD:285 Sink:MaD:220 |
+| ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source : String | provenance | Src:MaD:285  |
+| ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | provenance | Sink:MaD:228 |
+| ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | provenance | Sink:MaD:229 |
+| ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | provenance | Sink:MaD:230 |
+| ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | ApacheHttpClientExecuteSSRF.java:35:28:35:31 | host | provenance | Sink:MaD:231 |
+| ApacheHttpClientExecuteSSRF.java:25:42:25:47 | source : String | ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | provenance | MaD:307 |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:62 | get(...) : RequestBuilder | ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | provenance | MaD:304 |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | provenance | Sink:MaD:232 |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | provenance | Sink:MaD:233 |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | provenance | Sink:MaD:234 |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | ApacheHttpClientExecuteSSRF.java:39:28:39:33 | uriReq | provenance | Sink:MaD:235 |
+| ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source : String | ApacheHttpClientExecuteSSRF.java:27:37:27:62 | get(...) : RequestBuilder | provenance | MaD:305 |
 | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:28:31:28:34 | sink : String | provenance | Src:MaD:285  |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:30:43:30:45 | uri | provenance | Sink:MaD:211 |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:32:29:32:31 | uri | provenance | Sink:MaD:217 |
@@ -425,11 +428,11 @@ edges
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | Config |
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | MaD:293 |
 | ApacheHttpSSRF.java:42:62:42:64 | uri : URI | ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | provenance | MaD:295 |
-| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:304 Sink:MaD:239 |
+| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:306 Sink:MaD:239 |
 | ApacheHttpSSRF.java:43:41:43:43 | uri : URI | ApacheHttpSSRF.java:43:41:43:54 | toString(...) | provenance | MaD:295 Sink:MaD:240 |
 | ApacheHttpSSRF.java:44:41:44:43 | uri : URI | ApacheHttpSSRF.java:44:41:44:54 | toString(...) | provenance | MaD:295 Sink:MaD:241 |
 | ApacheHttpSSRF.java:46:77:46:79 | uri : URI | ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | provenance | MaD:295 |
-| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:304 Sink:MaD:236 |
+| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:306 Sink:MaD:236 |
 | ApacheHttpSSRF.java:47:56:47:58 | uri : URI | ApacheHttpSSRF.java:47:56:47:69 | toString(...) | provenance | MaD:295 Sink:MaD:237 |
 | ApacheHttpSSRF.java:48:56:48:58 | uri : URI | ApacheHttpSSRF.java:48:56:48:69 | toString(...) | provenance | MaD:295 Sink:MaD:238 |
 | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | provenance | Src:MaD:285  |
@@ -1402,22 +1405,26 @@ models
 | 301 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual |
 | 302 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual |
 | 303 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
-| 304 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
-| 305 | Summary: org.apache.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
+| 304 | Summary: org.apache.http.client.methods; RequestBuilder; true; build; (); ; Argument[this]; ReturnValue; taint; ai-manual |
+| 305 | Summary: org.apache.http.client.methods; RequestBuilder; true; get; (String); ; Argument[0]; ReturnValue; taint; ai-manual |
+| 306 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual |
+| 307 | Summary: org.apache.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual |
 nodes
-| ApacheHttpClientExecuteSSRF.java:22:29:22:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| ApacheHttpClientExecuteSSRF.java:24:29:24:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
-| ApacheHttpClientExecuteSSRF.java:24:42:24:47 | source : String | semmle.label | source : String |
-| ApacheHttpClientExecuteSSRF.java:26:37:26:68 | (...)... : String | semmle.label | (...)... : String |
-| ApacheHttpClientExecuteSSRF.java:26:54:26:68 | (...)... : String | semmle.label | (...)... : String |
-| ApacheHttpClientExecuteSSRF.java:31:28:31:31 | host | semmle.label | host |
+| ApacheHttpClientExecuteSSRF.java:23:29:23:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ApacheHttpClientExecuteSSRF.java:25:29:25:48 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost |
+| ApacheHttpClientExecuteSSRF.java:25:42:25:47 | source : String | semmle.label | source : String |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:62 | get(...) : RequestBuilder | semmle.label | get(...) : RequestBuilder |
+| ApacheHttpClientExecuteSSRF.java:27:37:27:70 | build(...) : HttpUriRequest | semmle.label | build(...) : HttpUriRequest |
+| ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source | semmle.label | source |
+| ApacheHttpClientExecuteSSRF.java:27:56:27:61 | source : String | semmle.label | source : String |
 | ApacheHttpClientExecuteSSRF.java:32:28:32:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:33:28:33:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:34:28:34:31 | host | semmle.label | host |
-| ApacheHttpClientExecuteSSRF.java:35:28:35:33 | uriReq | semmle.label | uriReq |
+| ApacheHttpClientExecuteSSRF.java:35:28:35:31 | host | semmle.label | host |
 | ApacheHttpClientExecuteSSRF.java:36:28:36:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpClientExecuteSSRF.java:37:28:37:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpClientExecuteSSRF.java:38:28:38:33 | uriReq | semmle.label | uriReq |
+| ApacheHttpClientExecuteSSRF.java:39:28:39:33 | uriReq | semmle.label | uriReq |
 | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | ApacheHttpSSRF.java:28:31:28:34 | sink : String | semmle.label | sink : String |