|
| 1 | +/** A module to reason about request forgery vulnerabilities. */ |
| 2 | + |
| 3 | +import java |
| 4 | +import semmle.code.java.frameworks.Networking |
| 5 | +import semmle.code.java.frameworks.javase.URI |
| 6 | +import semmle.code.java.frameworks.javase.URL |
| 7 | +import semmle.code.java.frameworks.JaxWS |
| 8 | +import semmle.code.java.frameworks.javase.Http |
| 9 | +import semmle.code.java.dataflow.DataFlow |
| 10 | + |
| 11 | +/** A module to reason about request forgery vulnerabilities. */ |
| 12 | +module RequestForgery { |
| 13 | + /** A data flow sink for request forgery vulnerabilities. */ |
| 14 | + abstract class Sink extends DataFlow::Node { } |
| 15 | + |
| 16 | + /** |
| 17 | + * An argument to an url `openConnection` or `openStream` call |
| 18 | + * taken as a sink for request forgery vulnerabilities. |
| 19 | + */ |
| 20 | + private class UrlOpen extends Sink { |
| 21 | + UrlOpen() { |
| 22 | + exists(MethodAccess ma | |
| 23 | + ma.getMethod() instanceof UrlOpenConnectionMethod or |
| 24 | + ma.getMethod() instanceof UrlOpenStreamMethod |
| 25 | + | |
| 26 | + this.asExpr() = ma.getQualifier() |
| 27 | + ) |
| 28 | + } |
| 29 | + } |
| 30 | + |
| 31 | + /** |
| 32 | + * An argument to an Apache `setURI` call taken as a |
| 33 | + * sink for request forgery vulnerabilities. |
| 34 | + */ |
| 35 | + private class ApacheSetUri extends Sink { |
| 36 | + ApacheSetUri() { |
| 37 | + exists(MethodAccess ma | |
| 38 | + ma.getReceiverType() instanceof TypeApacheHttpRequest and |
| 39 | + ma.getMethod().hasName("setURI") |
| 40 | + | |
| 41 | + this.asExpr() = ma.getArgument(0) |
| 42 | + ) |
| 43 | + } |
| 44 | + } |
| 45 | + |
| 46 | + /** |
| 47 | + * An argument to any Apache Request Instantiation call taken as a |
| 48 | + * sink for request forgery vulnerabilities. |
| 49 | + */ |
| 50 | + private class ApacheHttpRequestInstantiation extends Sink { |
| 51 | + ApacheHttpRequestInstantiation() { |
| 52 | + exists(ClassInstanceExpr c | c.getConstructedType() instanceof TypeApacheHttpRequest | |
| 53 | + this.asExpr() = c.getArgument(0) |
| 54 | + ) |
| 55 | + } |
| 56 | + } |
| 57 | + |
| 58 | + /** |
| 59 | + * An argument to a Apache RequestBuilder method call taken as a |
| 60 | + * sink for request forgery vulnerabilities. |
| 61 | + */ |
| 62 | + private class ApacheHttpRequestBuilderArgument extends Sink { |
| 63 | + ApacheHttpRequestBuilderArgument() { |
| 64 | + exists(MethodAccess ma | |
| 65 | + ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and |
| 66 | + ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"]) |
| 67 | + | |
| 68 | + this.asExpr() = ma.getArgument(0) |
| 69 | + ) |
| 70 | + } |
| 71 | + } |
| 72 | + |
| 73 | + /** |
| 74 | + * An argument to any Java.net.http.request Instantiation call taken as a |
| 75 | + * sink for request forgery vulnerabilities. |
| 76 | + */ |
| 77 | + private class HttpRequestNewBuilder extends Sink { |
| 78 | + HttpRequestNewBuilder() { |
| 79 | + exists(MethodAccess call | |
| 80 | + call.getCallee().hasName("newBuilder") and |
| 81 | + call.getMethod().getDeclaringType().getName() = "HttpRequest" |
| 82 | + | |
| 83 | + this.asExpr() = call.getArgument(0) |
| 84 | + ) |
| 85 | + } |
| 86 | + } |
| 87 | + |
| 88 | + /** |
| 89 | + * An argument to an Http Builder `uri` call taken as a |
| 90 | + * sink for request forgery vulnerabilities. |
| 91 | + */ |
| 92 | + private class HttpBuilderUriArgument extends Sink { |
| 93 | + HttpBuilderUriArgument() { |
| 94 | + exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri | |
| 95 | + this.asExpr() = ma.getArgument(0) |
| 96 | + ) |
| 97 | + } |
| 98 | + } |
| 99 | + |
| 100 | + /** |
| 101 | + * An argument to a Spring Rest Template method call taken as a |
| 102 | + * sink for request forgery vulnerabilities. |
| 103 | + */ |
| 104 | + private class SpringRestTemplateArgument extends Sink { |
| 105 | + SpringRestTemplateArgument() { |
| 106 | + exists(MethodAccess ma | |
| 107 | + this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma) |
| 108 | + ) |
| 109 | + } |
| 110 | + } |
| 111 | + |
| 112 | + /** |
| 113 | + * An argument to `javax.ws.rs.Client`s `target` method call taken as a |
| 114 | + * sink for request forgery vulnerabilities. |
| 115 | + */ |
| 116 | + private class JaxRsClientTarget extends Sink { |
| 117 | + JaxRsClientTarget() { |
| 118 | + exists(MethodAccess ma, JaxRsClient t | |
| 119 | + // ma.getMethod().getDeclaringType().getQualifiedName() ="javax.ws.rs.client.Client" and |
| 120 | + ma.getMethod().getDeclaringType() instanceof JaxRsClient and |
| 121 | + ma.getMethod().hasName("target") |
| 122 | + | |
| 123 | + this.asExpr() = ma.getArgument(0) |
| 124 | + ) |
| 125 | + } |
| 126 | + } |
| 127 | + |
| 128 | + /** |
| 129 | + * A URI argument to `org.springframework.http.RequestEntity`s constructor call |
| 130 | + * taken as a sink for request forgery vulnerabilities. |
| 131 | + */ |
| 132 | + private class RequestEntityUriArg extends Sink { |
| 133 | + RequestEntityUriArg() { |
| 134 | + exists(SpringRequestEntityInstanceExpr e | e.getUriArg() = this.asExpr()) |
| 135 | + } |
| 136 | + } |
| 137 | +} |
0 commit comments