CodeQL自动化寻找SSRF漏洞教学文档<\/h1>

1. 环境搭建<\/h2>

1.1 项目准备<\/h3>
下载示例项目：https:\/\/github.com\/l4yn3\/micro_service_seclab<\/code><\/li>
将项目导入IDEA开发环境<\/li>
运行项目进行测试<\/li>
<\/ul>
2. SSRF漏洞代码分析<\/h2>
2.1 五种SSRF实现方式<\/h3>
2.1.1 HttpURLConnection方式<\/h4>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/one"<\/span>)<\/span>
<\/span><\/span>public<\/span> String One<\/span>(<\/span>@RequestParam<\/span>(<\/span>value =<\/span> "url"<\/span>)<\/span> String imageUrl)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>imageUrl);<\/span>
<\/span><\/span>        HttpURLConnection connection =<\/span> (<\/span>HttpURLConnection)<\/span> url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>        connection.<\/span>setRequestMethod<\/span>(<\/span>"GET"<\/span>);<\/span>
<\/span><\/span>        return<\/span> connection.<\/span>getResponseMessage<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException var3)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>var3);<\/span>
<\/span><\/span>        return<\/span> "Hello"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
使用Java标准库中的HttpURLConnection<\/code><\/li>
直接使用用户提供的URL创建连接<\/li>
发送GET请求并返回响应<\/li>
<\/ul>
2.1.2 Apache HttpClient方式<\/h4>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/two"<\/span>)<\/span>
<\/span><\/span>public<\/span> String Two<\/span>(<\/span>@RequestParam<\/span>(<\/span>value =<\/span> "url"<\/span>)<\/span> String imageUrl)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>imageUrl);<\/span>
<\/span><\/span>        HttpResponse response =<\/span> Request.<\/span>Get<\/span>(<\/span>String.<\/span>valueOf<\/span>(<\/span>url)).<\/span>execute<\/span>().<\/span>returnResponse<\/span>();<\/span>
<\/span><\/span>        return<\/span> response.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException var1)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>var1);<\/span>
<\/span><\/span>        return<\/span> "Hello"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
使用Apache HttpClient的fluent API<\/li>
用户提供的URL用于发起GET请求<\/li>
<\/ul>
2.1.3 OkHttp方式<\/h4>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/three"<\/span>)<\/span>
<\/span><\/span>public<\/span> String Three<\/span>(<\/span>@RequestParam<\/span>(<\/span>value =<\/span> "url"<\/span>)<\/span> String imageUrl)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>imageUrl);<\/span>
<\/span><\/span>        OkHttpClient client =<\/span> new<\/span> OkHttpClient();<\/span>
<\/span><\/span>        com.<\/span>squareup<\/span>.<\/span>okhttp<\/span>.<\/span>Request<\/span> request =<\/span> new<\/span> com.<\/span>squareup<\/span>.<\/span>okhttp<\/span>.<\/span>Request<\/span>.<\/span>Builder<\/span>()<\/span>
<\/span><\/span>            .<\/span>get<\/span>().<\/span>url<\/span>(<\/span>url).<\/span>build<\/span>();<\/span>
<\/span><\/span>        Call call =<\/span> client.<\/span>newCall<\/span>(<\/span>request);<\/span>
<\/span><\/span>        Response response =<\/span> call.<\/span>execute<\/span>();<\/span>
<\/span><\/span>        return<\/span> response.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException var1)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>var1);<\/span>
<\/span><\/span>        return<\/span> "Hello"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
使用OkHttp现代HTTP客户端<\/li>
构建请求并执行<\/li>
<\/ul>
2.1.4 DefaultHttpClient方式<\/h4>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/four"<\/span>)<\/span>
<\/span><\/span>public<\/span> String Four<\/span>(<\/span>@RequestParam<\/span>(<\/span>value =<\/span> "url"<\/span>)<\/span> String imageUrl)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        DefaultHttpClient client =<\/span> new<\/span> DefaultHttpClient();<\/span>
<\/span><\/span>        HttpGet get =<\/span> new<\/span> HttpGet(<\/span>imageUrl);<\/span>
<\/span><\/span>        HttpResponse response =<\/span> client.<\/span>execute<\/span>(<\/span>get);<\/span>
<\/span><\/span>        return<\/span> response.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException var1)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>var1);<\/span>
<\/span><\/span>        return<\/span> "Hello"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
使用Apache HttpClient中的DefaultHttpClient类<\/li>
创建HttpGet对象并执行<\/li>
<\/ul>
2.1.5 URL.openStream方式<\/h4>
@RequestMapping<\/span>(<\/span>value =<\/span> "five"<\/span>)<\/span>
<\/span><\/span>public<\/span> String Five<\/span>(<\/span>@RequestParam<\/span>(<\/span>value =<\/span> "url"<\/span>)<\/span> String imageUrl)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>imageUrl);<\/span>
<\/span><\/span>        InputStream inputStream =<\/span> url.<\/span>openStream<\/span>();<\/span>
<\/span><\/span>        return<\/span> String.<\/span>valueOf<\/span>(<\/span>inputStream.<\/span>read<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException var1)<\/span> {<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>var1);<\/span>
<\/span><\/span>        return<\/span> "Hello"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
使用URL.openStream()方法<\/li>
直接打开URL并读取数据流<\/li>
<\/ul>
3. CodeQL分析原理<\/h2>
3.1 核心概念<\/h3>
3.1.1 RequestForgeryConfig<\/h4>

描述请求伪造风险的污点跟踪配置<\/li>
SSRF属于request-forgery风险类型<\/li>
<\/ul>
3.1.2 污点分析三要素<\/h4>

Source（源点）：用户可控输入<\/li>
Sink（汇点）：危险函数调用<\/li>
Taint propagation（污点传播）：数据从源点到汇点的流动路径<\/li>
<\/ol>
3.2 Source点分析<\/h3>
3.2.1 RemoteFlowSource<\/h4>
abstract class RemoteFlowSource extends SourceNode {
    abstract string getSourceType();
    override string getThreatModel() { result = "remote" }
}
<\/code><\/pre>

远程用户输入的数据流源<\/li>
实现类包括SpringServletInputParameterSource等<\/li>
<\/ul>
3.2.2 SpringServletInputParameterSource<\/h4>
private class SpringServletInputParameterSource extends RemoteFlowSource {
    SpringServletInputParameterSource() {
        this.asParameter() = any(SpringRequestMappingParameter srmp | srmp.isTaintedInput())
    }
    override string getSourceType() { result = "Spring servlet input parameter" }
}
<\/code><\/pre>

匹配Spring请求映射方法的参数<\/li>
通过isTaintedInput()<\/code>判断是否为污点输入<\/li>
<\/ul>
3.2.3 排除的Source<\/h4>
not source.asExpr().(MethodCall).getCallee() instanceof UrlConnectionGetInputStreamMethod
<\/code><\/pre>

排除通过HttpURLConnection.getInputStream方法发起的远程请求<\/li>
这些通常被认为是安全的HTTPS请求<\/li>
<\/ul>
3.3 Sink点分析<\/h3>
3.3.1 RequestForgerySink<\/h4>
abstract class RequestForgerySink extends DataFlow::Node { }
<\/code><\/pre>

抽象类，表示请求伪造的汇点<\/li>
<\/ul>
3.3.2 DefaultRequestForgerySink<\/h4>
private class DefaultRequestForgerySink extends RequestForgerySink {
    DefaultRequestForgerySink() { sinkNode(this, "request-forgery") }
}
<\/code><\/pre>

实现类，标记为"request-forgery"类型<\/li>
匹配各种HTTP客户端库的请求方法<\/li>
<\/ul>
3.4 污点传播规则<\/h3>
3.4.1 isAdditionalTaintStep<\/h4>
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
}
<\/code><\/pre>

定义额外的污点传播步骤<\/li>
<\/ul>
3.4.2 DefaultRequestForgeryAdditionalTaintStep<\/h4>
private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
    override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
        \/\/ propagate to a URI when its host is assigned to
        exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
        or
        \/\/ propagate to a URL when its host is assigned to
        exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
    }
}
<\/code><\/pre>

处理URI和URL构造时的污点传播<\/li>
示例：
String userInput =<\/span> request.<\/span>getParameter<\/span>(<\/span>"url"<\/span>);<\/span>
<\/span><\/span>URI uri =<\/span> URI.<\/span>create<\/span>(<\/span>userInput);<\/span>  \/\/ 污点从userInput传播到uri
<\/span><\/span><\/span><\/span>URL url =<\/span> new<\/span> URL(<\/span>userInput);<\/span>     \/\/ 污点从userInput传播到url
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3.4.3 TypePropertiesRequestForgeryAdditionalTaintStep<\/h4>
private class TypePropertiesRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
    override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
        exists(MethodCall ma |
            ma.getMethod() instanceof PropertiesSetPropertyMethod
            and ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "jdbcUrl"
            and pred.asExpr() = ma.getArgument(1)
            and succ.asExpr() = ma.getQualifier()
        )
    }
}
<\/code><\/pre>

处理Properties.setProperty方法的污点传播<\/li>
示例：
Properties props =<\/span> new<\/span> Properties();<\/span>
<\/span><\/span>String userInput =<\/span> request.<\/span>getParameter<\/span>(<\/span>"jdbcUrl"<\/span>);<\/span>
<\/span><\/span>props.<\/span>setProperty<\/span>(<\/span>"jdbcUrl"<\/span>,<\/span> userInput);<\/span>  \/\/ 污点从userInput传播到props
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3.5 Sanitizer（清理点）<\/h3>
3.5.1 HostnameSantizer<\/h4>
private class HostnameSantizer extends RequestForgerySanitizer {
    HostnameSantizer() {
        this.asExpr() = any(HostnameSanitizingPrefix hsp).getAnAppendedExpression()
    }
}
<\/code><\/pre>

匹配包含特定前缀的字符串（如?或#）<\/li>
这些前缀限制了主机名的控制<\/li>
<\/ul>
3.5.2 RelativeUrlSanitizer<\/h4>
private class RelativeUrlSanitizer extends RequestForgerySanitizer {
    RelativeUrlSanitizer() {
        this = DataFlow::BarrierGuard<isRelativeUrlSanitizer\/3>::getABarrierNode()
    }
}
<\/code><\/pre>

检查URL是否为相对路径<\/li>
示例：
if<\/span> (<\/span>uri.<\/span>isAbsolute<\/span>())<\/span> {<\/span>  \/\/ 绝对URL被认为是安全的
<\/span><\/span><\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4. CodeQL实践与改进<\/h2>
4.1 初始查询结果问题<\/h3>

原始查询只能检测到3个SSRF漏洞点（实际有5个）<\/li>
问题出在污点传播过程中，特别是String.valueOf方法的处理<\/li>
<\/ul>
4.2 解决方案：扩展污点传播规则<\/h3>
4.2.1 定义StringValue类<\/h4>
class TypeStringLib extends RefType {
    TypeStringLib() { this.hasQualifiedName("java.lang", "String") }
}

class StringValue extends MethodAccess {
    StringValue(){
        this.getCallee().getDeclaringType() instanceof TypeStringLib
        and this.getCallee().hasName("valueOf")
    }
}
<\/code><\/pre>

匹配java.lang.String类的valueOf方法<\/li>
<\/ul>
4.2.2 修改DefaultRequestForgeryAdditionalTaintStep<\/h4>
private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
    override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
        exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
        or
        exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
        or
        exists(StringValue c | c.getArgument(0) = pred.asExpr() | succ.asExpr() = c)
    }
}
<\/code><\/pre>

添加对String.valueOf方法的污点传播支持<\/li>
确保类似Request.Get(String.valueOf(url))<\/code>的调用也能被正确追踪<\/li>
<\/ul>
4.3 改进后查询结果<\/h3>

成功检测到全部5个SSRF漏洞点<\/li>
包括使用String.valueOf方法包装URL参数的案例<\/li>
<\/ul>
5. 总结<\/h2>
5.1 关键点回顾<\/h3>

SSRF漏洞可以通过多种Java HTTP客户端库实现<\/li>
CodeQL分析需要正确定义Source、Sink和污点传播规则<\/li>
特殊方法调用（如String.valueOf）需要额外处理<\/li>
清理点（Sanitizer）规则影响漏洞检测结果<\/li>
<\/ol>
5.2 最佳实践<\/h3>

针对项目使用的HTTP客户端库定制Sink点<\/li>
仔细检查污点传播路径，特别是方法调用链<\/li>
合理配置清理点规则，避免误报<\/li>
定期更新CodeQL规则库以支持新的API和框架<\/li>
<\/ol>
5.3 扩展思考<\/h3>

可以扩展支持更多HTTP客户端库（如Unirest、Retrofit等）<\/li>
考虑添加对DNS查询、SMTP连接等其他网络操作的检测<\/li>
结合数据流分析和控制流分析提高检测精度<\/li>
<\/ol>
CodeQL自动化寻找SSRF漏洞教学文档<\/h1>

1. 环境搭建<\/h2>

2. SSRF漏洞代码分析<\/h2>

2.1 五种SSRF实现方式<\/h3>

3. CodeQL分析原理<\/h2>

3.1 核心概念<\/h3>

3.2 Source点分析<\/h3>

3.3 Sink点分析<\/h3>

3.4 污点传播规则<\/h3>

3.5 Sanitizer（清理点）<\/h3>

4. CodeQL实践与改进<\/h2>

4.2 解决方案：扩展污点传播规则<\/h3>

5. 总结<\/h2>

5.3 扩展思考<\/h3> 可以扩展支持更多HTTP客户端库（如Unirest、Retrofit等）<\/li> 考虑添加对DNS查询、SMTP连接等其他网络操作的检测<\/li> 结合数据流分析和控制流分析提高检测精度<\/li> <\/ol>

5.3 扩展思考<\/h3>

可以扩展支持更多HTTP客户端库（如Unirest、Retrofit等）<\/li>
考虑添加对DNS查询、SMTP连接等其他网络操作的检测<\/li>
结合数据流分析和控制流分析提高检测精度<\/li> <\/ol>
