github
diff --git a/‎java/ql/test/query-tests/security/CWE-918/RequestForgery.expected‎
Lines changed: 30 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-918/RequestForgery.expected‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-918/SanitizationTests.java‎
Lines changed: 14 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-918/SanitizationTests.java‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-918/options‎
Lines changed: 1 addition & 1 deletion b/‎java/ql/test/query-tests/security/CWE-918/options‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎java/ql/test/query-tests/security/CWE-918/pom.xml‎
Lines changed: 13 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-918/pom.xml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java‎
Lines changed: 88 additions & 0 deletions b/‎java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java‎
Lines changed: 23 additions & 0 deletions b/‎java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java‎
Lines changed: 23 additions & 0 deletions
@@ -252,6 +252,8 @@
 | SanitizationTests.java:119:25:119:32 | unsafer9 | SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:119:25:119:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:117:33:117:63 | getParameter(...) | user-provided value |
 | SanitizationTests.java:122:60:122:79 | new URI(...) | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:122:60:122:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value |
 | SanitizationTests.java:123:25:123:33 | unsafer10 | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:123:25:123:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value |
+| SanitizationTests.java:153:54:153:69 | new URI(...) | SanitizationTests.java:152:55:152:83 | getParameter(...) : String | SanitizationTests.java:153:54:153:69 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:152:55:152:83 | getParameter(...) | user-provided value |
+| SanitizationTests.java:154:25:154:27 | r14 | SanitizationTests.java:152:55:152:83 | getParameter(...) : String | SanitizationTests.java:154:25:154:27 | r14 | Potential server-side request forgery due to a $@. | SanitizationTests.java:152:55:152:83 | getParameter(...) | user-provided value |
 | SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
 | SpringSSRF.java:33:69:33:82 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
 | SpringSSRF.java:34:73:34:86 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
@@ -833,6 +835,20 @@ edges
 | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
 | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | Config |
 | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | MaD:285 |
+| SanitizationTests.java:152:35:152:84 | new AnnotatedObject(...) : AnnotatedObject [uri] : String | SanitizationTests.java:153:62:153:64 | obj : AnnotatedObject [uri] : String | provenance |  |
+| SanitizationTests.java:152:55:152:83 | getParameter(...) : String | SanitizationTests.java:152:35:152:84 | new AnnotatedObject(...) : AnnotatedObject [uri] : String | provenance | Src:MaD:277  |
+| SanitizationTests.java:152:55:152:83 | getParameter(...) : String | SanitizationTests.java:170:32:170:41 | uri : String | provenance | Src:MaD:277  |
+| SanitizationTests.java:153:31:153:70 | newBuilder(...) : Builder | SanitizationTests.java:153:31:153:78 | build(...) : HttpRequest | provenance | MaD:283 |
+| SanitizationTests.java:153:31:153:78 | build(...) : HttpRequest | SanitizationTests.java:154:25:154:27 | r14 | provenance | Sink:MaD:4 |
+| SanitizationTests.java:153:54:153:69 | new URI(...) : URI | SanitizationTests.java:153:31:153:70 | newBuilder(...) : Builder | provenance | MaD:284 |
+| SanitizationTests.java:153:62:153:64 | obj : AnnotatedObject [uri] : String | SanitizationTests.java:153:62:153:68 | obj.uri : String | provenance |  |
+| SanitizationTests.java:153:62:153:68 | obj.uri : String | SanitizationTests.java:153:54:153:69 | new URI(...) | provenance | Config Sink:MaD:6 |
+| SanitizationTests.java:153:62:153:68 | obj.uri : String | SanitizationTests.java:153:54:153:69 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
+| SanitizationTests.java:153:62:153:68 | obj.uri : String | SanitizationTests.java:153:54:153:69 | new URI(...) : URI | provenance | Config |
+| SanitizationTests.java:153:62:153:68 | obj.uri : String | SanitizationTests.java:153:54:153:69 | new URI(...) : URI | provenance | MaD:285 |
+| SanitizationTests.java:170:32:170:41 | uri : String | SanitizationTests.java:171:24:171:26 | uri : String | provenance |  |
+| SanitizationTests.java:171:13:171:16 | this [post update] : AnnotatedObject [uri] : String | SanitizationTests.java:170:16:170:30 | parameter this [Return] : AnnotatedObject [uri] : String | provenance |  |
+| SanitizationTests.java:171:24:171:26 | uri : String | SanitizationTests.java:171:13:171:16 | this [post update] : AnnotatedObject [uri] : String | provenance |  |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | provenance | Src:MaD:277  |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | provenance | Src:MaD:277  |
@@ -1815,6 +1831,19 @@ nodes
 | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String |
 | SanitizationTests.java:123:25:123:33 | unsafer10 | semmle.label | unsafer10 |
+| SanitizationTests.java:152:35:152:84 | new AnnotatedObject(...) : AnnotatedObject [uri] : String | semmle.label | new AnnotatedObject(...) : AnnotatedObject [uri] : String |
+| SanitizationTests.java:152:55:152:83 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SanitizationTests.java:153:31:153:70 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
+| SanitizationTests.java:153:31:153:78 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
+| SanitizationTests.java:153:54:153:69 | new URI(...) | semmle.label | new URI(...) |
+| SanitizationTests.java:153:54:153:69 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| SanitizationTests.java:153:62:153:64 | obj : AnnotatedObject [uri] : String | semmle.label | obj : AnnotatedObject [uri] : String |
+| SanitizationTests.java:153:62:153:68 | obj.uri : String | semmle.label | obj.uri : String |
+| SanitizationTests.java:154:25:154:27 | r14 | semmle.label | r14 |
+| SanitizationTests.java:170:16:170:30 | parameter this [Return] : AnnotatedObject [uri] : String | semmle.label | parameter this [Return] : AnnotatedObject [uri] : String |
+| SanitizationTests.java:170:32:170:41 | uri : String | semmle.label | uri : String |
+| SanitizationTests.java:171:13:171:16 | this [post update] : AnnotatedObject [uri] : String | semmle.label | this [post update] : AnnotatedObject [uri] : String |
+| SanitizationTests.java:171:24:171:26 | uri : String | semmle.label | uri : String |
 | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... |
 | SpringSSRF.java:33:69:33:82 | fooResourceUrl | semmle.label | fooResourceUrl |
@@ -2035,3 +2064,4 @@ nodes
 | mad/Test.java:112:15:112:31 | (...)... | semmle.label | (...)... |
 | mad/Test.java:112:24:112:31 | source(...) : String | semmle.label | source(...) : String |
 subpaths
+| SanitizationTests.java:152:55:152:83 | getParameter(...) : String | SanitizationTests.java:170:32:170:41 | uri : String | SanitizationTests.java:170:16:170:30 | parameter this [Return] : AnnotatedObject [uri] : String | SanitizationTests.java:152:35:152:84 | new AnnotatedObject(...) : AnnotatedObject [uri] : String |
@@ -147,6 +147,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
                 HttpRequest r13 = HttpRequest.newBuilder(new URI(param13)).build();
                 client.send(r13, null);
             }
+
+            // GOOD: sanitisation by @Pattern annotation
+            AnnotatedObject obj = new AnnotatedObject(request.getParameter("uri14")); // $ SPURIOUS: Source
+            HttpRequest r14 = HttpRequest.newBuilder(new URI(obj.uri)).build(); // $ SPURIOUS: Alert
+            client.send(r14, null); // $ SPURIOUS: Alert
         } catch (Exception e) {
             // TODO: handle exception
         }
@@ -157,4 +162,13 @@ private void validate(String s) {
             throw new IllegalArgumentException("Invalid ID");
         }
     }
+
+    private static class AnnotatedObject {
+        @javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+")
+        String uri;
+
+        public AnnotatedObject(String uri) {
+            this.uri = uri;
+        }
+    }
 }
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/springframework-5.8.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-ws-rs-api-2.1.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-ws-rs-api-3.0.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-http-4.4.13/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/projectreactor-3.4.3/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/postgresql-42.3.3/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/HikariCP-3.4.5/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/spring-jdbc-5.3.8/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jdbi3-core-3.27.2/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/cargo:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javafx-web:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-jelly-1.0.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/dom4j-2.1.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jaxen-1.2.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/stapler-1.263:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-servlet-2.5:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-fileupload-1.4:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/saxon-xqj-9.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-beanutils:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-lang:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-http-5:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/playframework-2.6.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jaxws-api-2.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-cxf
@@ -0,0 +1,13 @@
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.example</groupId>
+  <artifactId>stub-generation</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <dependencies>
+    <dependency>
+      <groupId>javax.validation</groupId>
+      <artifactId>validation-api</artifactId>
+      <version>2.0.1.Final</version>
+    </dependency>
+  </dependencies>
+</project>
Original file line number	Diff line number	Diff line change
`@@ -147,6 +147,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)`
`147`	`147`	`HttpRequest r13 = HttpRequest.newBuilder(new URI(param13)).build();`
`148`	`148`	`client.send(r13, null);`
`149`	`149`	`}`
	`150`	`+`
	`151`	`+ // GOOD: sanitisation by @Pattern annotation`
	`152`	`+ AnnotatedObject obj = new AnnotatedObject(request.getParameter("uri14")); // $ SPURIOUS: Source`
	`153`	`+ HttpRequest r14 = HttpRequest.newBuilder(new URI(obj.uri)).build(); // $ SPURIOUS: Alert`
	`154`	`+ client.send(r14, null); // $ SPURIOUS: Alert`
`150`	`155`	`} catch (Exception e) {`
`151`	`156`	`// TODO: handle exception`
`152`	`157`	`}`
`@@ -157,4 +162,13 @@ private void validate(String s) {`
`157`	`162`	`throw new IllegalArgumentException("Invalid ID");`
`158`	`163`	`}`
`159`	`164`	`}`
	`165`	`+`
	`166`	`+ private static class AnnotatedObject {`
	`167`	`+ @javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+")`
	`168`	`+ String uri;`
	`169`	`+`
	`170`	`+ public AnnotatedObject(String uri) {`
	`171`	`+ this.uri = uri;`
	`172`	`+ }`
	`173`	`+ }`
`160`	`174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
	`1`	+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/springframework-5.8.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-ws-rs-api-2.1.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-ws-rs-api-3.0.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-http-4.4.13/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/projectreactor-3.4.3/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/postgresql-42.3.3/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/HikariCP-3.4.5/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/spring-jdbc-5.3.8/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jdbi3-core-3.27.2/:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/cargo:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javafx-web:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-jelly-1.0.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/dom4j-2.1.1:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jaxen-1.2.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/stapler-1.263:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/javax-servlet-2.5:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-fileupload-1.4:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/saxon-xqj-9.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-beanutils:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-commons-lang:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-http-5:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/playframework-2.6.x:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/jaxws-api-2.0:/Users/owen-mc/workspace/code/ql/java/ql/test/stubs/apache-cxf