Merge pull request #9002 from atorralba/atorralba/https-urls-improvs

Java: Add OkHttp and Retrofit models

Author: atorralba

java/ql/lib/change-notes/2022-05-02-okhttp-retrofit-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for the libraries OkHttp and Retrofit.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -102,8 +102,10 @@ private module Frameworks {
   private import semmle.code.java.frameworks.JsonJava
   private import semmle.code.java.frameworks.Logging
   private import semmle.code.java.frameworks.Objects
+  private import semmle.code.java.frameworks.OkHttp
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.Regex
+  private import semmle.code.java.frameworks.Retrofit
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
   private import semmle.code.java.frameworks.ratpack.Ratpack

java/ql/lib/semmle/code/java/frameworks/OkHttp.qll

@@ -0,0 +1,71 @@
+/**
+ * Provides classes and predicates for working with the OkHttp client.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class OkHttpOpenUrlSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "okhttp3;Request;true;Request;;;Argument[0];open-url",
+        "okhttp3;Request$Builder;true;url;;;Argument[0];open-url"
+      ]
+  }
+}
+
+private class OKHttpSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "okhttp3;HttpUrl;false;parse;;;Argument[0];ReturnValue;taint",
+        "okhttp3;HttpUrl;false;uri;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl;false;url;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegments;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegments;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;addEncodedQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addEncodedQueryParameter;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;addPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addPathSegment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;addPathSegments;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addPathSegments;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;addQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addQueryParameter;;;Argument[0..1];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;build;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl$Builder;false;encodedFragment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedFragment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;encodedPassword;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedPath;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedPath;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;encodedQuery;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedQuery;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;encodedUsername;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;fragment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;fragment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;host;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;host;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;password;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;port;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;port;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;query;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;query;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;removeAllEncodedQueryParameters;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;removeAllQueryParameters;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;removePathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;setEncodedPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setEncodedPathSegment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;setEncodedQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setEncodedQueryParameter;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;setPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setPathSegment;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;setQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setQueryParameter;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;username;;;Argument[-1];ReturnValue;value",
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Retrofit.qll

@@ -0,0 +1,12 @@
+/**
+ * Provides classes and predicates for working with the Retrofit API client.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class RetrofitOpenUrlSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row = "retrofit2;Retrofit$Builder;true;baseUrl;;;Argument[0];open-url"
+  }
+}

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -14,10 +14,7 @@ import java
 import semmle.code.java.security.HttpsUrlsQuery
 import DataFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpStringLiteral s
-where
-  source.getNode().asExpr() = s and
-  sink.getNode().asExpr() = m.getQualifier() and
-  any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
-select m, source, sink, "URL may have been constructed with HTTP protocol, using $@.", s,
-  "this source"
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "URL may have been constructed with HTTP protocol, using $@.",
+  source.getNode(), "this source"

java/ql/src/change-notes/2022-05-02-non-https-urls-simplified.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The query `java/non-https-urls` has been simplified
+and no longer requires its sinks to be `MethodAccess`es.