Java: queries about user-controlled URLs should be sanitized by enforcing a prefix

[pwntester]

This comes from a discussion with @smowton over here.

Certain categories such as Open Redirect, SSRF and Android WebView URL injection will benefit from a sanitizer which would clean the taint in case the dataflow goes through a string prefix operation (concatenation, format strings, string buffers, string writer ...). Since not controlling the begging of the URL will severely decrease the exploitability of these issues.

[smowton]

Added a descriptive title

[smowton]

Looks like as well as the XSS query's clause relating to user-controlled fetches, this should also apply to other URL-based queries like java/unvalidated-url-redirection. Go's version of the same query already filters in this way here: https://github.com/github/codeql-go/blob/main/ql/src/semmle/go/security/UrlConcatenation.qll#L94

[github-actions]

This issue is stale because it has been open 14 days with no activity. Comment or remove the stale label in order to avoid having this issue closed in 7 days.

[neverlovelynn]

I encountered the same problem when using codeql. Is this problem solved now?

[smowton]

Hah, I'd forgotten about this. I ported this from Go when promoting the Java SSRF query from experimental (#5587). That should be generalised to other queries concerned with a user-controlled URL.

[ZH3FENG]

Same as javascript, so many false-positive reports, particularly SSRF.
Is there any filter in js?

[pwntester]

Another category that would benefit from this is JNDI injections where attackers need to control the beginning of the url /cc @atorralba