SSRF: don't consider results of fetches we initiated to be untrustworthy

smowton · smowton · commit 26e10f3ad593 · 2021-06-17T11:41:03.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
@@ -18,7 +18,13 @@ import DataFlow::PathGraph
 class RequestForgeryConfiguration extends TaintTracking::Configuration {
   RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    // Exclude results of remote HTTP requests: fetching something else based on that result
+    // is no worse than following a redirect returned by the remote server, and typically
+    // we're requesting a resource via https which we trust to only send us to safe URLs.
+    not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
+  }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
 
