Java: add tests for org.apache.hc.client5.http.fluent

Jami Cogswell · Jami Cogswell · commit cd7b79f62be3 · 2023-04-13T09:12:54.000-04:00
diff --git a/java/ql/lib/ext/org.apache.hc.client5.http.fluent.model.yml b/java/ql/lib/ext/org.apache.hc.client5.http.fluent.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      # ! `Request` only extends `Object`, no subclasses listed
       - ["org.apache.hc.client5.http.fluent", "Request", True, "create", "(Method,URI)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.client5.http.fluent", "Request", True, "create", "(String,String)", "", "Argument[1]", "%-url", "manual"]
       - ["org.apache.hc.client5.http.fluent", "Request", True, "create", "(String,URI)", "", "Argument[1]", "%-url", "manual"]
diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttp5SSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttp5SSRF.java
@@ -28,7 +28,7 @@
 import org.apache.hc.client5.http.classic.methods.HttpTrace;
 import org.apache.hc.client5.http.classic.methods.HttpUriRequestBase;
 
-// import org.apache.hc.client5.http.fluent.Request;
+import org.apache.hc.client5.http.fluent.Request;
 // import org.apache.hc.client5.http.protocol.RedirectLocations;
 // import org.apache.hc.client5.http.utils.URIUtils;
 
@@ -187,8 +187,8 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)
             ClassicHttpRequests.create("method", uri.toString()); // $ SSRF
             ClassicHttpRequests.create("method", uri); // $ SSRF
 
-            BasicHttpRequests.delete(uri.toString()); // $ SSRF
-            BasicHttpRequests.delete(uri); // $ SSRF
+            ClassicHttpRequests.delete(uri.toString()); // $ SSRF
+            ClassicHttpRequests.delete(uri); // $ SSRF
 
             ClassicHttpRequests.get(uri.toString()); // $ SSRF
             ClassicHttpRequests.get(uri); // $ SSRF
@@ -243,4 +243,46 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)
             // TODO: handle exception
         }
     }
+
+    // org.apache.hc.client5.http.fluent
+    protected void doGet3(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String uriSink = request.getParameter("uri");
+            URI uri = new URI(uriSink);
+
+            // org.apache.hc.client5.http.fluent.Request
+            Request.create(Method.CONNECT, uri); // $ SSRF
+            Request.create("method", uri.toString()); // $ SSRF
+            Request.create("method", uri); // $ SSRF
+
+            Request.delete(uri.toString()); // $ SSRF
+            Request.delete(uri); // $ SSRF
+
+            Request.get(uri.toString()); // $ SSRF
+            Request.get(uri); // $ SSRF
+
+            Request.head(uri.toString()); // $ SSRF
+            Request.head(uri); // $ SSRF
+
+            Request.options(uri.toString()); // $ SSRF
+            Request.options(uri); // $ SSRF
+
+            Request.patch(uri.toString()); // $ SSRF
+            Request.patch(uri); // $ SSRF
+
+            Request.post(uri.toString()); // $ SSRF
+            Request.post(uri); // $ SSRF
+
+            Request.put(uri.toString()); // $ SSRF
+            Request.put(uri); // $ SSRF
+
+            Request.trace(uri.toString()); // $ SSRF
+            Request.trace(uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
 }
