contrib.owasp.java.ssrf.ssrf.owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient

Author
164
Download Count*
License
A parameter being passed directly into CloseableHttpClient functions most likely lead to SSRF.
Run Locally
Run in CI
Defintion
rules:
- id: owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient
message: A parameter being passed directly into CloseableHttpClient functions
most likely lead to SSRF.
metadata:
cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
source-rule-url: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: ERROR
patterns:
- pattern-either:
- pattern: |
$RETURN $METHOD(...,String $VAR, ...) {
...
CloseableHttpClient $CLIENT = ... ;
...
$METHODOBJ = new $METHODCLASS($VAR);
...
HttpResponse httpResponse = $CLIENT.execute($METHODOBJ);
...
}
- pattern: |
$RETURN $METHOD(...,String $VAR, ...) {
...
CloseableHttpClient $CLIENT = ... ;
...
$METHODOBJ = new $METHODCLASS("...");
...
HttpResponse httpResponse = $CLIENT.execute($METHODOBJ);
...
}
languages:
- java
Examples
ssrf.java
//git@github.com:JoyChou93/java-sec-code.git
package org.joychou.util;
// ruleid:owasp.java.ssrf.possible.import.statements
import com.squareup.okhttp.OkHttpClient;
// ruleid:owasp.java.ssrf.possible.import.statements
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
// ruleid:owasp.java.ssrf.possible.import.statements
import org.apache.http.client.fluent.Request;
// ruleid:owasp.java.ssrf.possible.import.statements
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
// ruleid:owasp.java.ssrf.possible.import.statements
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.util.EntityUtils;
// ruleid:owasp.java.ssrf.possible.import.statements
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
// ruleid:owasp.java.ssrf.possible.import.statements
import javax.imageio.ImageIO;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
// ruleid:owasp.java.ssrf.possible.import.statements
import java.net.URI;
// ruleid:owasp.java.ssrf.possible.import.statements
import java.net.URL;
import java.net.URLConnection;
import java.util.concurrent.*;
/**
* @author JoyChou 2020-04-06
*/
public class HttpUtils {
private static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
// ruleid:owasp.java.ssrf.org.apache.commons.httpclient
public static String commonHttpClient(String url) {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
try {
client.executeMethod(method); // send request
byte[] resBody = method.getResponseBody();
return new String(resBody);
} catch (IOException e) {
return "Error: " + e.getMessage();
} finally {
// Release the connection.
method.releaseConnection();
}
}
public static String request(String url) {
try {
return Request.Get(url).execute().returnContent().toString();
} catch (Exception e) {
return e.getMessage();
}
}
// ruleid:owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient
public static String httpClient(String url) {
StringBuilder result = new StringBuilder();
try {
CloseableHttpClient client = HttpClients.createDefault();
HttpGet httpGet = new HttpGet(url);
HttpResponse httpResponse = client.execute(httpGet); // send request
BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
String line;
while ((line = rd.readLine()) != null) {
result.append(line);
}
return result.toString();
} catch (Exception e) {
return e.getMessage();
}
}
// ruleid:owasp.java.ssrf.java.net.url
public static String URLConnection(String url) {
try {
URL u = new URL(url);
URLConnection urlConnection = u.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
String inputLine;
StringBuilder html = new StringBuilder();
while ((inputLine = in.readLine()) != null) {
html.append(inputLine);
}
in.close();
return html.toString();
} catch (Exception e) {
logger.error(e.getMessage());
return e.getMessage();
}
}
// ruleid:owasp.java.ssrf.java.net.url
public static String HTTPURLConnection(String url) {
try {
URL u = new URL(url);
URLConnection urlConnection = u.openConnection();
HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
BufferedReader in = new BufferedReader(new InputStreamReader(httpUrl.getInputStream())); //send request
String inputLine;
StringBuilder html = new StringBuilder();
while ((inputLine = in.readLine()) != null) {
html.append(inputLine);
}
in.close();
return html.toString();
} catch (IOException e) {
logger.error(e.getMessage());
return e.getMessage();
}
}
/**
* Jsoup is a HTML parser about Java.
*
* @param url http request url
*/
public static String Jsoup(String url) {
try {
Document doc = Jsoup.connect(url)
//.followRedirects(false)
.timeout(3000)
.cookie("name", "joychou") // request cookies
.execute().parse();
return doc.outerHtml();
} catch (IOException e) {
return e.getMessage();
}
}
/**
* The default setting of followRedirects is true. The option of followRedirects is true.
*
* UserAgent is <code>okhttp/2.5.0</code>.
*/
public static String okhttp(String url) throws IOException {
OkHttpClient client = new OkHttpClient();
// client.setFollowRedirects(false);
com.squareup.okhttp.Request ok_http = new com.squareup.okhttp.Request.Builder().url(url).build();
return client.newCall(ok_http).execute().body().string();
}
// ruleid:owasp.java.ssrf.java.net.url
public static void imageIO(String url) {
try {
URL u = new URL(url);
ImageIO.read(u); // send request
} catch (IOException e) {
logger.error(e.getMessage());
}
}
/**
* IOUtils which is wrapped by URLConnection can get remote pictures.
* The default setting of redirection is true.
*
* @param url http request url
*/
public static void IOUtils(String url) {
try {
IOUtils.toByteArray(URI.create(url));
} catch (IOException e) {
logger.error(e.getMessage());
}
}
public static String HttpAsyncClients(String url) {
CloseableHttpAsyncClient httpclient = HttpAsyncClients.createDefault();
try {
httpclient.start();
final HttpGet request = new HttpGet(url);
Future<HttpResponse> future = httpclient.execute(request, null);
HttpResponse response = future.get(6000, TimeUnit.MILLISECONDS);
return EntityUtils.toString(response.getEntity());
} catch (Exception e) {
return e.getMessage();
} finally {
try {
httpclient.close();
} catch (Exception e) {
logger.error(e.getMessage());
}
}
}
}
Short Link: https://sg.run/7oAG