Add models for OkHttp and Retrofit

Author: atorralba

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -102,8 +102,10 @@ private module Frameworks {
   private import semmle.code.java.frameworks.JsonJava
   private import semmle.code.java.frameworks.Logging
   private import semmle.code.java.frameworks.Objects
+  private import semmle.code.java.frameworks.OkHttp
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.Regex
+  private import semmle.code.java.frameworks.Retrofit
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
   private import semmle.code.java.frameworks.ratpack.Ratpack

java/ql/lib/semmle/code/java/frameworks/OkHttp.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides classes and predicates for working with the OkHttp client.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class OkHttpOpenUrlSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "okhttp3;Request;true;Request;;;Argument[0];open-url",
+        "okhttp3;Request$Builder;true;url;;;Argument[0];open-url"
+      ]
+  }
+}
+
+private class OKHttpSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "okhttp3;HttpUrl;false;parse;;;Argument[0];ReturnValue;taint",
+        "okhttp3;HttpUrl;false;uri;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl;false;url;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addEncodedPathSegments;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addEncodedQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addPathSegments;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;addQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;build;;;Argument[-1];ReturnValue;taint",
+        "okhttp3;HttpUrl$Builder;false;encodedFragment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedPassword;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedPath;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedQuery;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;encodedUsername;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;fragment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;fragment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;host;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;password;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;port;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;query;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;removeAllEncodedQueryParameters;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;removeAllQueryParameters;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;removePathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[0];Argument[-1];taint",
+        "okhttp3;HttpUrl$Builder;false;setEncodedPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setEncodedQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setPathSegment;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;setQueryParameter;;;Argument[-1];ReturnValue;value",
+        "okhttp3;HttpUrl$Builder;false;username;;;Argument[-1];ReturnValue;value",
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Retrofit.qll

@@ -0,0 +1,12 @@
+/**
+ * Provides classes and predicates for working with the Retrofit API client.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class RetrofitOpenUrlSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row = "retrofit2;Retrofit$Builder;true;baseUrl;;;Argument[0];open-url"
+  }
+}

java/ql/test/library-tests/frameworks/okhttp/Test.java

@@ -0,0 +1,237 @@
+package generatedtest;
+
+import java.net.URI;
+import java.net.URL;
+import okhttp3.HttpUrl;
+import okhttp3.Request;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {}
+
+	public void testSinks() {
+		new Request((HttpUrl) source(), null, null, null, null); // $ hasValueFlow
+		new Request.Builder().url((String) source()); // $ hasValueFlow
+	}
+
+	public void test() throws Exception {
+
+		{
+			// "okhttp3;HttpUrl$Builder;false;addEncodedPathSegment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addEncodedPathSegment(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;addEncodedPathSegments;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addEncodedPathSegments(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;addEncodedQueryParameter;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addEncodedQueryParameter(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;addPathSegment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addPathSegment(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;addPathSegments;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addPathSegments(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;addQueryParameter;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.addQueryParameter(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;build;;;Argument[-1];ReturnValue;taint"
+			HttpUrl out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.build();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;encodedFragment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.encodedFragment(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;encodedPassword;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.encodedPassword(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;encodedPath;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.encodedPath(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;encodedQuery;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.encodedQuery(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;encodedUsername;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.encodedUsername(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;fragment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.fragment(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;host;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.host(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;password;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.password(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;port;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.port(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;query;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.query(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;removeAllEncodedQueryParameters;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.removeAllEncodedQueryParameters(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;removeAllQueryParameters;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.removeAllQueryParameters(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;removePathSegment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.removePathSegment(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.scheme(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;scheme;;;Argument[0];Argument[-1];taint"
+			HttpUrl.Builder out = null;
+			String in = (String) source();
+			out.scheme(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;setEncodedPathSegment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.setEncodedPathSegment(0, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;setEncodedQueryParameter;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.setEncodedQueryParameter(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;setPathSegment;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.setPathSegment(0, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;setQueryParameter;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.setQueryParameter(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl$Builder;false;username;;;Argument[-1];ReturnValue;value"
+			HttpUrl.Builder out = null;
+			HttpUrl.Builder in = (HttpUrl.Builder) source();
+			out = in.username(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "okhttp3;HttpUrl;false;parse;;;Argument[0];ReturnValue;taint"
+			HttpUrl out = null;
+			String in = (String) source();
+			out = HttpUrl.parse(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "okhttp3;HttpUrl;false;uri;;;Argument[-1];ReturnValue;taint"
+			URI out = null;
+			HttpUrl in = (HttpUrl) source();
+			out = in.uri();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "okhttp3;HttpUrl;false;url;;;Argument[-1];ReturnValue;taint"
+			URL out = null;
+			HttpUrl in = (HttpUrl) source();
+			out = in.url();
+			sink(out); // $ hasTaintFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/okhttp/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/okhttp-4.9.3

java/ql/test/library-tests/frameworks/okhttp/test.expected

@@ -0,0 +1,6 @@
+import java
+import TestUtilities.InlineFlowTest
+
+class FlowConf extends DefaultValueFlowConf {
+  override predicate isSink(DataFlow::Node n) { super.isSink(n) or sinkNode(n, "open-url") }
+}

java/ql/test/library-tests/frameworks/okhttp/test.ql

@@ -0,0 +1,16 @@
+import java.net.URL;
+import okhttp3.HttpUrl;
+import retrofit2.Retrofit;
+
+public class Test {
+    public Object source() {
+        return null;
+    }
+
+    public void test() {
+        Retrofit.Builder builder = new Retrofit.Builder();
+        builder.baseUrl((String) source()); // $ hasValueFlow
+        builder.baseUrl((URL) source()); // $ hasValueFlow
+        builder.baseUrl((HttpUrl) source()); // $ hasValueFlow
+    }
+}

java/ql/test/library-tests/frameworks/retrofit/Test.java

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/okhttp-4.9.3:${testdir}/../../../stubs/retrofit-2.9.0