Update CWE-918 model coverage for Apache HttpClient execute sinks

[Copilot]

Replaces the earlier fluent-Request focused changes with targeted SSRF model updates and regression tests for org.apache.http.client.HttpClient#execute sinks.

• What this addresses

  • Updates java/ql/lib/ext/org.apache.http.client.model.yml to cover all requested request-forgery sink overloads for HttpClient.execute(...).
  • Follows the existing SSRF test style in this suite (inline // $ Source and // $ Alert expectations).

• Model updates

  • HttpClient.execute(HttpHost, HttpRequest)
  • HttpClient.execute(HttpHost, HttpRequest, HttpContext)
  • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler)
  • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler, HttpContext)
  • HttpClient.execute(HttpUriRequest)
  • HttpClient.execute(HttpUriRequest, HttpContext)
  • HttpClient.execute(HttpUriRequest, ResponseHandler)
  • HttpClient.execute(HttpUriRequest, ResponseHandler, HttpContext)

• Test coverage added

  • New test file: java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
  • Covers all modeled HttpClient.execute overloads listed above.

• Stub + test configuration updates

  • Added stubs:
    • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java
    • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java
  • Updated java/ql/test/query-tests/security/CWE-918/options to include ${testdir}/../../../stubs/apache-http-client-4.4.13.

• Replaced previous branch content

  • Removed prior fluent test/stub changes:
    • java/ql/test/query-tests/security/CWE-918/ApacheHttpFluentSSRF.java
    • java/ql/test/stubs/apache-http-fluent-4.5.14/org/apache/http/client/fluent/Request.java

• Example from new test

  String sink = request.getParameter("host"); // $ Source
  HttpHost host = new HttpHost(sink);
  
  client.execute(host, req); // $ Alert
  client.execute(host, req, context); // $ Alert
  client.execute(host, req, handler); // $ Alert
  client.execute(host, req, handler, context); // $ Alert

Original prompt

Please add tests for the models for this class. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/CWE-918.testproj/src/Users/owen-mc/workspace/code/ql/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java to an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

Created from VS Code.

[owen-mc]

@copilot

(1) Please delete your current changes on this branch.

(2) Please update java/ql/lib/ext/org.apache.http.client.model.yml to:

extensions:
  - addsTo:
      pack: codeql/java-all
      extensible: sinkModel
    data:
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

(3) Please add tests for the models in that file. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java for an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

[Copilot]

@copilot

(1) Please delete your current changes on this branch.
...

Done in 043ec85. I removed the previous fluent-only test/stub changes, updated java/ql/lib/ext/org.apache.http.client.model.yml with the exact 8 HttpClient.execute sink rows you requested, added CWE-918 tests in ApacheHttpClientExecuteSSRF.java, added stubs for HttpClient and ResponseHandler, and updated CWE-918/options to include the new stub path.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• releases.bazel.build
  • Triggering command: /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 query kind('.*test', //java/ql/test/query-tests/security/CWE-918/...) (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)