Java: Update CWE-918 model coverage for Apache HttpClient execute sinks

[Copilot]

Replaces the earlier fluent-Request focused changes with targeted SSRF model updates and regression tests for org.apache.http.client.HttpClient#execute sinks.

• What this addresses

  • Updates java/ql/lib/ext/org.apache.http.client.model.yml to cover all requested request-forgery sink overloads for HttpClient.execute(...).
  • Follows the existing SSRF test style in this suite (inline // $ Source and // $ Alert expectations).

• Model updates

  • HttpClient.execute(HttpHost, HttpRequest)
  • HttpClient.execute(HttpHost, HttpRequest, HttpContext)
  • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler)
  • HttpClient.execute(HttpHost, HttpRequest, ResponseHandler, HttpContext)
  • HttpClient.execute(HttpUriRequest)
  • HttpClient.execute(HttpUriRequest, HttpContext)
  • HttpClient.execute(HttpUriRequest, ResponseHandler)
  • HttpClient.execute(HttpUriRequest, ResponseHandler, HttpContext)

• Test coverage added

  • New test file: java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java
  • Covers all modeled HttpClient.execute overloads listed above.

• Stub + test configuration updates

  • Added stubs:
    • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java
    • java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java
  • Updated java/ql/test/query-tests/security/CWE-918/options to include ${testdir}/../../../stubs/apache-http-client-4.4.13.

• Replaced previous branch content

  • Removed prior fluent test/stub changes:
    • java/ql/test/query-tests/security/CWE-918/ApacheHttpFluentSSRF.java
    • java/ql/test/stubs/apache-http-fluent-4.5.14/org/apache/http/client/fluent/Request.java

• Example from new test

  String sink = request.getParameter("host"); // $ Source
  HttpHost host = new HttpHost(sink);
  
  client.execute(host, req); // $ Alert
  client.execute(host, req, context); // $ Alert
  client.execute(host, req, handler); // $ Alert
  client.execute(host, req, handler, context); // $ Alert

Original prompt

Please add tests for the models for this class. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/CWE-918.testproj/src/Users/owen-mc/workspace/code/ql/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java to an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

Created from VS Code.

[owen-mc]

@copilot

(1) Please delete your current changes on this branch.

(2) Please update java/ql/lib/ext/org.apache.http.client.model.yml to:

extensions:
  - addsTo:
      pack: codeql/java-all
      extensible: sinkModel
    data:
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

(3) Please add tests for the models in that file. Look at the other SSRF tests in java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java for an example to follow. You will have to add stubs and add the path to them in the file java/ql/test/query-tests/security/CWE-918/options . Look at that file to see where the stubs should be located. You can look at existing stubs to see what they should be like.

[Copilot]

@copilot

(1) Please delete your current changes on this branch.
...

Done in 043ec85. I removed the previous fluent-only test/stub changes, updated java/ql/lib/ext/org.apache.http.client.model.yml with the exact 8 HttpClient.execute sink rows you requested, added CWE-918 tests in ApacheHttpClientExecuteSSRF.java, added stubs for HttpClient and ResponseHandler, and updated CWE-918/options to include the new stub path.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• releases.bazel.build
  • Triggering command: /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 /usr/local/lib/node_modules/@bazel/bazelisk/bazelisk-linux_amd64 query kind('.*test', //java/ql/test/query-tests/security/CWE-918/...) (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[owen-mc]

Adds some missing sinks.

[Copilot]

Pull request overview

This PR expands CodeQL’s Java SSRF (CWE-918) coverage by modeling additional Apache HttpClient 4.x HttpClient#execute(...) overloads as request-forgery sinks, and adds a dedicated regression test plus stubs to exercise those overloads.

Changes:

• Added sink models for the full set of org.apache.http.client.HttpClient#execute(...) overloads taking HttpHost / HttpUriRequest.
• Added a new CWE-918 regression test and minimal stubs for HttpClient and ResponseHandler, wiring the stub directory into the test classpath.
• Updated the RequestForgery.expected baseline and added a Java pack change note describing the analysis impact.

Show a summary per file

File	Description
java/ql/lib/ext/org.apache.http.client.model.yml	Adds request-forgery sink models for HttpClient.execute(...) overloads.
java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java	New regression test covering each newly modeled overload.
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java	Adds an HttpClient stub exposing the modeled execute(...) overloads.
java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java	Adds a ResponseHandler stub required by HttpClient.execute(...) overloads.
java/ql/test/query-tests/security/CWE-918/options	Extends the test classpath to include the new Apache HttpClient stub directory.
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected	Updates expected results/baseline to include new alerts and model listing changes.
java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md	Documents the user-visible analysis improvement for Java SSRF queries.

Copilot's findings

• Files reviewed: 6/7 changed files
• Comments generated: 1

[aschackmull]

I agree that this is confusing. Also, the source is named sink, which is confusing as well.

[aschackmull]

Is this right? Based on the type names and the models below, which target the HttpUriRequest argument, I'd expect the sink to be the HttpRequest argument (possibly in addition to HttpHost).

[BazookaMusic]

The models look good, but I'm not sure if maybe Argument[1] is also a sink here.

https://codeql.github.com/codeql-query-help/javascript/js-host-header-forgery-in-email-generation/

The request here will have the headers of the outgoing request so if they are user controlled, they could for example cause a malicious redirect or something like that depending on the server that reads it.

I will approve it, but do check this out too

[BazookaMusic]

Actually I checked it and Anders is correct, HttpHost is the base url and then httprequest contains the relative url.

It's still request forgery if tainted data goes into the relative url

[owen-mc]

@BazookaMusic Our request forgery queries only alert for being able to change the host, so actually it sounds like that model is correct.