Skip to content

Update CWE-918 model coverage for Apache HttpClient execute sinks#21804

Open
Copilot wants to merge 5 commits intomainfrom
copilot/add-tests-for-models
Open

Update CWE-918 model coverage for Apache HttpClient execute sinks#21804
Copilot wants to merge 5 commits intomainfrom
copilot/add-tests-for-models

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026
edited
Loading

Replaces the earlier fluent-Request focused changes with targeted SSRF model updates and regression tests for org.apache.http.client.HttpClient#execute sinks.

  • What this addresses

    • Updates java/ql/lib/ext/org.apache.http.client.model.yml to cover all requested request-forgery sink overloads for HttpClient.execute(...).
    • Follows the existing SSRF test style in this suite (inline // $ Source and // $ Alert expectations).

  • Model updates

    • HttpClient.execute(HttpHost, HttpRequest)
    • HttpClient.execute(HttpHost, HttpRequest, HttpContext)
    • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler)
    • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler, HttpContext)
    • HttpClient.execute(HttpUriRequest)
    • HttpClient.execute(HttpUriRequest, HttpContext)
    • HttpClient.execute(HttpUriRequest, ResponseHandler)
    • HttpClient.execute(HttpUriRequest, ResponseHandler, HttpContext)

  • Test coverage added

    • New test file: java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
    • Covers all modeled HttpClient.execute overloads listed above.

  • Stub + test configuration updates

    • Added stubs:
      • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java
      • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java
    • Updated java/ql/test/query-tests/security/CWE-918/options to include ${testdir}/../../../stubs/apache-http-client-4.4.13.

  • Replaced previous branch content

    • Removed prior fluent test/stub changes:
      • java/ql/test/query-tests/security/CWE-918/ApacheHttpFluentSSRF.java
      • java/ql/test/stubs/apache-http-fluent-4.5.14/org/apache/http/client/fluent/Request.java

  • Example from new test

    String sink = request.getParameter("host"); // $ Source
HttpHost host = new HttpHost(sink);

client.execute(host, req); // $ Alert
client.execute(host, req, context); // $ Alert
client.execute(host, req, handler); // $ Alert
client.execute(host, req, handler, context); // $ Alert
Original prompt

Please add tests for the models for this class. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/CWE-918.testproj/src/Users/owen-mc/workspace/code/ql/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java to an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

Created from VS Code.

Copilot AI changed the title [WIP] Add tests for the models following SSRF examples Add CWE-918 model regression coverage for Apache Http Fluent Request sinks May 6, 2026
Copilot AI requested a review from owen-mc May 6, 2026 16:09
Copilot finished work on behalf of owen-mc May 6, 2026 16:09
@owen-mc owen-mc closed this May 6, 2026
@owen-mc owen-mc reopened this May 6, 2026
@github-actions github-actions Bot added the Java label May 6, 2026
@owen-mc
Copy link
Copy Markdown
Contributor

owen-mc commented May 6, 2026

@copilot

(1) Please delete your current changes on this branch.

(2) Please update java/ql/lib/ext/org.apache.http.client.model.yml to:

extensions:
  - addsTo:
      pack: codeql/java-all
      extensible: sinkModel
    data:
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

(3) Please add tests for the models in that file. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java for an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 6, 2026
edited
Loading

@copilot

(1) Please delete your current changes on this branch.
...

Done in 043ec85. I removed the previous fluent-only test/stub changes, updated java/ql/lib/ext/org.apache.http.client.model.yml with the exact 8 HttpClient.execute sink rows you requested, added CWE-918 tests in ApacheHttpClientExecuteSSRF.java, added stubs for HttpClient and ResponseHandler, and updated CWE-918/options to include the new stub path.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • releases.bazel.build
    • Triggering command: /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 query kind('.*test', //java/ql/test/query-tests/security/CWE-918/...) (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Add CWE-918 model regression coverage for Apache Http Fluent Request sinks Update CWE-918 model coverage for Apache HttpClient execute sinks May 6, 2026
Copilot finished work on behalf of owen-mc May 6, 2026 20:33
@owen-mc owen-mc marked this pull request as ready for review May 7, 2026 09:24
@owen-mc owen-mc requested a review from a team as a code owner May 7, 2026 09:24
Copilot AI review requested due to automatic review settings May 7, 2026 09:24
owen-mc
owen-mc approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds some missing sinks.

Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands CodeQL’s Java SSRF (CWE-918) coverage by modeling additional Apache HttpClient 4.x HttpClient#execute(...) overloads as request-forgery sinks, and adds a dedicated regression test plus stubs to exercise those overloads.

Changes:

  • Added sink models for the full set of org.apache.http.client.HttpClient#execute(...) overloads taking HttpHost / HttpUriRequest.
  • Added a new CWE-918 regression test and minimal stubs for HttpClient and ResponseHandler, wiring the stub directory into the test classpath.
  • Updated the RequestForgery.expected baseline and added a Java pack change note describing the analysis impact.
Show a summary per file
File Description
java/ql/lib/ext/org.apache.http.client.model.yml Adds request-forgery sink models for HttpClient.execute(...) overloads.
java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java New regression test covering each newly modeled overload.
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java Adds an HttpClient stub exposing the modeled execute(...) overloads.
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java Adds a ResponseHandler stub required by HttpClient.execute(...) overloads.
java/ql/test/query-tests/security/CWE-918/options Extends the test classpath to include the new Apache HttpClient stub directory.
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected Updates expected results/baseline to include new alerts and model listing changes.
java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md Documents the user-visible analysis improvement for Java SSRF queries.

Copilot's findings

  • Files reviewed: 6/7 changed files
  • Comments generated: 1

Comment thread java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
Comment on lines +23 to +28
HttpHost host = new HttpHost(sink);
HttpRequest req = new BasicHttpRequest("GET", "/");
HttpUriRequest uriReq = (HttpUriRequest) (Object) sink;
HttpContext context = null;
HttpClient client = null;
ResponseHandler<Object> handler = null;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@owen-mc owen-mc owen-mc approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@owen-mc owen-mc

Copilot code review Copilot

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@owen-mc