Merge pull request #8357 from p0wn4j/jdbc-url-ssrf-sink

Java: Add JDBC connection SSRF sinks

Author: smowton

java/ql/lib/change-notes/2022-03-14-new-jdbc-ssrf-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+ * Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -131,6 +131,8 @@ private module Frameworks {
   private import semmle.code.java.security.XPath
   private import semmle.code.java.security.XsltInjection
   private import semmle.code.java.frameworks.Jdbc
+  private import semmle.code.java.frameworks.Jdbi
+  private import semmle.code.java.frameworks.HikariCP
   private import semmle.code.java.frameworks.SpringJdbc
   private import semmle.code.java.frameworks.MyBatis
   private import semmle.code.java.frameworks.Hibernate

java/ql/lib/semmle/code/java/frameworks/HikariCP.qll

@@ -0,0 +1,17 @@
+/**
+ * Definitions of sinks in the Hikari Connection Pool library.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "com.zaxxer.hikari;HikariConfig;false;HikariConfig;(Properties);;Argument[0];jdbc-url",
+        "com.zaxxer.hikari;HikariConfig;false;setJdbcUrl;(String);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Jdbc.qll

@@ -52,3 +52,16 @@ private class SqlSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "java.sql;DriverManager;false;getConnection;(String);;Argument[0];jdbc-url",
+        "java.sql;DriverManager;false;getConnection;(String,Properties);;Argument[0];jdbc-url",
+        "java.sql;DriverManager;false;getConnection;(String,String,String);;Argument[0];jdbc-url",
+        "java.sql;Driver;false;connect;(String,Properties);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Jdbi.qll

@@ -0,0 +1,21 @@
+/**
+ * Definitions of sinks in the JDBI library.
+ */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.jdbi.v3.core;Jdbi;false;create;(String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;create;(String,Properties);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;create;(String,String,String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String,Properties);;Argument[0];jdbc-url",
+        "org.jdbi.v3.core;Jdbi;false;open;(String,String,String);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/SpringJdbc.qll

@@ -37,3 +37,17 @@ private class SqlSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+private class SsrfSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.springframework.boot.jdbc;DataSourceBuilder;false;url;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;AbstractDriverBasedDataSource;false;setUrl;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String,String,String);;Argument[0];jdbc-url",
+        "org.springframework.jdbc.datasource;DriverManagerDataSource;false;DriverManagerDataSource;(String,Properties);;Argument[0];jdbc-url"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.spring.Spring
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Properties
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.dataflow.ExternalFlow
 
@@ -33,13 +34,31 @@ private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdd
   }
 }
 
+private class TypePropertiesRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
+  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      // Properties props = new Properties();
+      // props.setProperty("jdbcUrl", tainted);
+      // Propagate tainted value to the qualifier `props`
+      ma.getMethod() instanceof PropertiesSetPropertyMethod and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "jdbcUrl" and
+      pred.asExpr() = ma.getArgument(1) and
+      succ.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
 /** A data flow sink for server-side request forgery (SSRF) vulnerabilities. */
 abstract class RequestForgerySink extends DataFlow::Node { }
 
 private class UrlOpenSinkAsRequestForgerySink extends RequestForgerySink {
   UrlOpenSinkAsRequestForgerySink() { sinkNode(this, "open-url") }
 }
 
+private class JdbcUrlSinkAsRequestForgerySink extends RequestForgerySink {
+  JdbcUrlSinkAsRequestForgerySink() { sinkNode(this, "jdbc-url") }
+}
+
 /** A sanitizer for request forgery vulnerabilities. */
 abstract class RequestForgerySanitizer extends DataFlow::Node { }
 

java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java

@@ -0,0 +1,91 @@
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.sql.DriverManager;
+import java.sql.Driver;
+import java.sql.SQLException;
+import java.io.IOException;
+import com.zaxxer.hikari.HikariConfig;
+import com.zaxxer.hikari.HikariDataSource;
+import java.util.*;
+import org.springframework.jdbc.datasource.*;
+import org.jdbi.v3.core.Jdbi;
+import org.springframework.boot.jdbc.DataSourceBuilder;
+
+public class JdbcUrlSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+    
+        String jdbcUrl = request.getParameter("jdbcUrl");
+        Driver driver = new org.postgresql.Driver();
+        DataSourceBuilder dsBuilder = new DataSourceBuilder();
+        
+        try {
+            driver.connect(jdbcUrl, null); // $ SSRF
+
+            DriverManager.getConnection(jdbcUrl); // $ SSRF
+            DriverManager.getConnection(jdbcUrl, "user", "password"); // $ SSRF
+            DriverManager.getConnection(jdbcUrl, null); // $ SSRF
+
+            dsBuilder.url(jdbcUrl); // $ SSRF
+        }
+        catch(SQLException e) {}
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+    
+        String jdbcUrl = request.getParameter("jdbcUrl");
+        HikariConfig config = new HikariConfig();
+
+        config.setJdbcUrl(jdbcUrl); // $ SSRF
+        config.setUsername("database_username");
+        config.setPassword("database_password");
+
+        HikariDataSource ds = new HikariDataSource();
+        ds.setJdbcUrl(jdbcUrl); // $ SSRF
+
+        Properties props = new Properties();
+        props.setProperty("driverClassName", "org.postgresql.Driver");
+        props.setProperty("jdbcUrl", jdbcUrl);
+
+        HikariConfig config2 = new HikariConfig(props); // $ SSRF
+    }
+
+    protected void doPut(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+
+        String jdbcUrl = request.getParameter("jdbcUrl");
+    
+        DriverManagerDataSource dataSource = new DriverManagerDataSource();
+    
+        dataSource.setDriverClassName("org.postgresql.Driver");
+        dataSource.setUrl(jdbcUrl); // $ SSRF
+
+        DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ SSRF
+        dataSource2.setDriverClassName("org.postgresql.Driver");
+
+        DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ SSRF
+        dataSource3.setDriverClassName("org.postgresql.Driver");
+
+        DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ SSRF
+        dataSource4.setDriverClassName("org.postgresql.Driver");
+    }
+
+    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+
+        String jdbcUrl = request.getParameter("jdbcUrl");
+
+        Jdbi.create(jdbcUrl); // $ SSRF
+        Jdbi.create(jdbcUrl, null); // $ SSRF
+        Jdbi.create(jdbcUrl, "user", "pass"); // $ SSRF
+
+        Jdbi.open(jdbcUrl); // $ SSRF
+        Jdbi.open(jdbcUrl, null); // $ SSRF
+        Jdbi.open(jdbcUrl, "user", "pass"); // $ SSRF
+    }
+    
+}

java/ql/test/query-tests/security/CWE-918/options

@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/