Java: Model Spring reactive WebClient.uri as a request forgery sink#22132
Merged
owen-mc merged 3 commits intoJul 7, 2026
Conversation
Contributor
Click to show differences in coveragejavaGenerated file changes for java
- `Spring <https://spring.io/>`_,``org.springframework.*``,46,494,143,26,,28,14,,35
+ `Spring <https://spring.io/>`_,``org.springframework.*``,46,494,144,26,,28,14,,36
- Totals,,382,26411,2707,421,16,137,33,1,415
+ Totals,,382,26411,2708,421,16,137,33,1,416
- org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,
+ org.springframework.web.reactive.function.client,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,, |
owen-mc
requested changes
Jul 7, 2026
Contributor
|
Thanks for this contribution. It looks pretty much all correct. The copyright notice will need to be removed though. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the Java request-forgery (SSRF) sink modeling for Spring WebFlux by treating WebClient.UriSpec.uri(...) as a request-forgery sink, closing a common modeling gap where URLs are set per-request rather than at client construction time.
Changes:
- Add a
request-forgerysink model fororg.springframework.web.reactive.function.client.WebClient$UriSpec.uri(withsubtypes=True) to cover typical fluent usages likewebClient.get().uri(...). - Extend the Spring WebClient test stub to include the
uri(URI)overload needed by the new query-test cases. - Add new CWE-918 query-test coverage for
.uri(String)(via varargs overload) and.uri(URI), updating the expected results and documenting the behavior change in release notes.
Show a summary per file
| File | Description |
|---|---|
| java/ql/lib/ext/org.springframework.web.reactive.function.client.model.yml | Adds the new SSRF sink model for WebClient$UriSpec.uri(...). |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/reactive/function/client/WebClient.java | Updates stub API surface to include uri(java.net.URI) for compilation/type resolution. |
| java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java | Adds new query-test flows into WebClient.uri(...) overloads. |
| java/ql/test/query-tests/security/CWE-918/RequestForgery.expected | Regenerates expected results to include the new sink detections. |
| java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md | Documents the new sink modeling as a minor analysis change. |
Review details
- Files reviewed: 4/5 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
1
to
2
| # Copyright © 2026 Apple Inc. | ||
| extensions: |
Contributor
Author
Removing Apple Inc notice per feedback provided by GitHub Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Update change note to be more technically accurate Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
owen-mc
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spring WebFlux's reactive
WebClientsends a request to the URL passed to the per-requesturi(...)method (for examplewebClient.get().uri(url)), declared onWebClient.UriSpec. Therequest-forgerymodel coversWebClient.create(url)andWebClient.builder().baseUrl(url). It does not yet cover the per-requesturi(...)method, which is the usual way to set a request URL, so a URL built from untrusted input and sent throughuri(...)is ajava/ssrfsink that is currently unmodeled.Change
Adds
WebClient$UriSpec.urias arequest-forgerysink:- ["org.springframework.web.reactive.function.client", "WebClient$UriSpec", True, "uri", "", "", "Argument[0]", "request-forgery", "manual"]subtypesisTrueso the row also applies toRequestHeadersUriSpecandRequestBodyUriSpec, the receiver types returned byget(),post()and similar methods.uri(URI),uri(String, Object...)anduri(String, Map).Testing
Validated at three levels.
Query tests.
ReactiveWebClientSSRF.javaadds tainted flows intouri(String)anduri(URI), andRequestForgery.expectedis regenerated. The CWE-918 tests pass.True positives (full-build database). Compiled against the Spring WebFlux library, the sink reports untrusted input reaching the request URL:
uri(String);uri(String, Object...);UriComponentsBuilderwhose host is attacker-controlled (fromUriString,host).Multi-repository variant analysis.
Repositories analyzed (34)
WebClient.uricall sites across the dataset, confirming the run exercises the new model.Overload coverage
The blank signature also matches the
uri(Function<UriBuilder, URI>)overload, whoseArgument[0]is a builder callback. This matches how other fluent URL setters are modeled. The row can be restricted to theStringandURIoverloads if preferred.