- 
                Notifications
    You must be signed in to change notification settings 
- Fork 1.8k
Azure python sdk url summary upstream #20563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Azure python sdk url summary upstream #20563
Conversation
         bdrodes
  
      
      
      commented
      
            bdrodes
  
      
      
      commented
        Sep 30, 2025 
      
    
  
- Added MaD sinks for URLs in the azure SDK, labeled as 'ssrf'
- Updated HTTP request clients to use 'ssrf' MaD
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR adds Server-Side Request Forgery (SSRF) modeling for the Azure Python SDK by introducing MaD (Models as Data) sinks and updating HTTP request clients to recognize SSRF vulnerabilities. This enables CodeQL to detect when user input can control URLs passed to Azure SDK methods.
- Added SSRF sink modeling framework for MaD-based HTTP requests
- Created comprehensive Azure SDK models for KeyVault and Storage services
- Added test coverage for Azure client SSRF scenarios
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description | 
|---|---|
| python/ql/lib/semmle/python/frameworks/SSRFSink.qll | New framework for handling SSRF sinks through MaD models | 
| python/ql/lib/semmle/python/frameworks/Azure.Storage.model.yml | MaD definitions for Azure Storage SDK SSRF sinks | 
| python/ql/lib/semmle/python/frameworks/Azure.Keyvault.model.yml | MaD definitions for Azure KeyVault SDK SSRF sinks | 
| python/ql/lib/semmle/python/Frameworks.qll | Import statement for new SSRFSink framework | 
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py | Test cases for Azure SDK SSRF detection | 
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected | Expected results for partial SSRF tests | 
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected | Expected results for full SSRF tests | 
| python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models | Release notes for the changes | 
        
          
                python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py
              
                Outdated
          
            Show resolved
            Hide resolved
        
              
          
                python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py
              
                Outdated
          
            Show resolved
            Hide resolved
        
      Co-authored-by: Copilot <[email protected]>
…orgery/test_azure_client.py Co-authored-by: Copilot <[email protected]>
…orgery/test_azure_client.py Co-authored-by: Copilot <[email protected]>