Java : add request forgery query

[ghost]

This query adds support for detecting SSRF in Java.

[ghost]

I just noticed #3452 tackles a similar issue. I will give a brief of how my PR differs from the latter.

• That one adds support for only openConnection calls. I add support for multiple other calls from the java.net.http and apache http client libraries.

• I have also included library as well as query tests for the same.

• I haven't included any barriers for the flow while Java: CWE-918: Server side request forgery #3452 considers addition with lhs as :// as a blocking step.

• Java: CWE-918: Server side request forgery #3452 is asking to be merged as an experimental one while I would like this to be included as stable.

[pwntester]

Can you please open a corresponding securitylab issue for tracking?

[ghost]

I have added a few stubs which I had missed earlier and rebased this to the latest master. This is now ready to be reviewed and merged.

[felicitymay]

I should have mentioned earlier, I was added as a reviewer automatically by the CODEOWNERS file. However this PR doesn't need a review from the docs team because most of the changes are to the experimental directory. We've since updated the CODEOWNERS file to reflect this.

[ghost]

@aschackmull I have rebased to the latest main. This is now ready for review.

[smowton]

Hello! Apologies for slowness on our part; I'm taking over reviewing and hope the process will be much quicker from here. Quite a few comments but nothing too time-consuming I hope.

[ghost]

@smowton Sorry for the delay in addressing the review. I was on a long vacation. I have made the changes and merged the latest master into the branch.

[smowton]

Just some minor comments, checking the evaluation status for this one

[smowton]

Once your subsidiary PR is merged please rebase onto main (rather than merge it in)

[smowton]

Looks like eval was done long ago, will flag this to codeql-java owners for review

[aschackmull]

Could we get this rebased on main? The changes from #4600 still show up here.

[smowton]

Just noticed some public defns with missing doc comments

[smowton]

Missing doc comment

[smowton]

Missing doc comment

[aschackmull]

I have more comments, but let's start with this.

[aschackmull]

The qldoc generally needs a lot of updates to bring it in line with https://github.com/github/codeql/blob/main/docs/qldoc-style-guide.md. Note in particular:

• Classes are documented with a noun-phrase, such as A <thing> that <has properties>. or The <some unique thing>.
• Predicates with results use a third-person verb phrase of the form Gets (a|the) <thing>.

[ghost]

@aschackmull I have pushed a few changes. Do I fix them now?

[aschackmull]

I've written a bunch of additional suggested changes in a PR against this PR. Please merge https://github.com/porcupineyhairs/ql/pull/2 into this PR.

[ghost]

@aschackmull Merged!

[Marcono1234]

Is it intended that the files of this query are directly in the src/experimental directory instead of src/experimental/Security/CWE?

(Sorry if this has been mentioned in one of the review comments; I only went over the pull request comments, but did not find anything regarding this)

[smowton]

They don't appear to be? What file are you referring to?

[Marcono1234]

These:

See https://github.com/github/codeql/tree/main/java/ql/src/experimental

[smowton]

Doh right, I thought you meant files directly within the experimental directory

[smowton]

#5153