File tree Expand file tree Collapse file tree
java/ql/src/semmle/code/java/security Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ /** Provides classes to reason about Server-side Request Forgery attacks. */
2+
13import java
24import semmle.code.java.frameworks.Networking
35import semmle.code.java.frameworks.ApacheHttp
@@ -8,16 +10,21 @@ import semmle.code.java.dataflow.DataFlow
810import semmle.code.java.dataflow.TaintTracking
911private import semmle.code.java.StringFormat
1012
11- abstract class RequestForgeryAdditionalTaintStep extends string {
12- bindingset [ this ]
13- RequestForgeryAdditionalTaintStep ( ) { any ( ) }
14-
13+ /**
14+ * A unit class for adding additional taint steps that are specific to Server-side
15+ * Request Forgery (SSRF) attacks.
16+ *
17+ * Extend this class to add additional taint steps to the SSRF query.
18+ */
19+ class RequestForgeryAdditionalTaintStep extends Unit {
20+ /**
21+ * Holds if the step from `pred` to `succ` should be considered a taint
22+ * step for Server-side Request Forgery.
23+ */
1524 abstract predicate propagatesTaint ( DataFlow:: Node pred , DataFlow:: Node succ ) ;
1625}
1726
1827private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
19- DefaultRequestForgeryAdditionalTaintStep ( ) { this = "DefaultRequestForgeryAdditionalTaintStep" }
20-
2128 override predicate propagatesTaint ( DataFlow:: Node pred , DataFlow:: Node succ ) {
2229 // propagate to a URI when its host is assigned to
2330 exists ( UriCreation c | c .getHostArg ( ) = pred .asExpr ( ) | succ .asExpr ( ) = c )
You can’t perform that action at this time.
0 commit comments