include suggestions from review.

Author: Porcupiney Hairs

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -11,7 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.frameworks.javase.URL
+import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
 
 class HTTPString extends StringLiteral {
@@ -52,7 +52,7 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(URLConstructor u |
+    exists(UrlConstructor u |
       node1.asExpr() = u.protocolArg() and
       node2.asExpr() = u
     )

java/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -24,10 +24,10 @@ module RequestForgery {
 
 predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
   // propagate to a URI when its host is assigned to
-  exists(UriConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
   or
   // propagate to a URL when its host is assigned to
-  exists(UrlConstructor c | c.hostArg() = pred.asExpr() | succ.asExpr() = c)
+  exists(UrlConstructor c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
   or
   // propagate to a RequestEntity when its url is assigned to
   exists(MethodAccess m |

java/ql/src/experimental/CWE-918/RequestForgeryCustomizations.qll

@@ -34,8 +34,8 @@ module RequestForgery {
    */
   private class ApacheSetUri extends Sink {
     ApacheSetUri() {
-      exists(MethodAccess ma, TypeApacheHttpRequestBase t |
-        ma.getReceiverType().extendsOrImplements(t) and
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof ApacheHttpRequest and
         ma.getMethod().hasName("setURI")
       |
         this.asExpr() = ma.getArgument(0)
@@ -49,9 +49,7 @@ module RequestForgery {
    */
   private class ApacheHttpRequestInstantiation extends Sink {
     ApacheHttpRequestInstantiation() {
-      exists(ClassInstanceExpr c, TypeApacheHttpRequestBase t |
-        c.getConstructedType().extendsOrImplements(t)
-      |
+      exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
         this.asExpr() = c.getArgument(0)
       )
     }
@@ -149,25 +147,9 @@ module RequestForgery {
 class SpringRestTemplateUrlMethods extends Method {
   SpringRestTemplateUrlMethods() {
     this.getDeclaringType() instanceof SpringRestTemplate and
-    this.hasName("doExecute")
-    or
-    this.hasName("postForEntity")
-    or
-    this.hasName("postForLocation")
-    or
-    this.hasName("postForObject")
-    or
-    this.hasName("put")
-    or
-    this.hasName("exchange")
-    or
-    this.hasName("execute")
-    or
-    this.hasName("getForEntity")
-    or
-    this.hasName("getForObject")
-    or
-    this.hasName("patchForObject")
+    this
+        .hasName(["doExecute", "postForEntity", "postForLocation", "postForObject", "put",
+              "exchange", "execute", "getForEntity", "getForObject", "patchForObject"])
   }
 
   /**

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -155,7 +155,7 @@ class HttpURLOpenMethod extends Method {
 /** Constructor of `ApacheHttpRequest` */
 predicate apacheHttpRequest(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
-    cc.getConstructedType() instanceof TypeApacheHttpRequestBase and
+    cc.getConstructedType() instanceof ApacheHttpRequest and
     node2.asExpr() = cc and
     cc.getAnArgument() = node1.asExpr()
   )

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -15,19 +15,19 @@ class ApacheHttpEntityGetContent extends Method {
 }
 
 /**
- *  A class derived from the `HttpRequestBase` or the `BasicHttpRequest`
+ *  Models any class derived from `HttpRequestBase` or the `BasicHttpRequest`
  *  class of the Apache Http Client `org.apache.http` library
  */
-class TypeApacheHttpRequestBase extends RefType {
-  TypeApacheHttpRequestBase() {
+class ApacheHttpRequest extends RefType {
+  ApacheHttpRequest() {
     this
         .getASourceSupertype*()
         .hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
     this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
   }
 }
 
-/* A class representing the `RequestBuilder` class of the Apache Http Client library */
+/** Models `RequestBuilder` class of the Apache Http Client library */
 class TypeApacheHttpRequestBuilder extends Class {
   TypeApacheHttpRequestBuilder() {
     hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")

java/ql/src/semmle/code/java/frameworks/Networking.qll

@@ -43,22 +43,27 @@ class SocketGetInputStreamMethod extends Method {
 }
 
 /** Any expresion or call which returns a new URI. */
-abstract class UriCreation extends Top {
+class UriCreation extends Call {
+  UriCreation() {
+    this.getCallee().getDeclaringType() instanceof TypeUri and
+    (this instanceof ClassInstanceExpr or this.getCallee().hasName("create"))
+  }
+
   /**
    * Returns the host of the newly created URI.
    *  In the case where the host is specified separately, this returns only the host.
    *  In the case where the uri is parsed from an input string,
    *  such as in `URI(`http://foo.com/mypath')`,
    *  this returns the entire argument passed i.e. `http://foo.com/mypath'.
    */
-  abstract Expr hostArg();
+  Expr getHostArg() { none() }
 }
 
 /** An URI constructor expression */
 class UriConstructor extends ClassInstanceExpr, UriCreation {
   UriConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URI" }
 
-  override Expr hostArg() {
+  override Expr getHostArg() {
     // URI​(String str)
     result = this.getArgument(0) and this.getNumArgument() = 1
     or
@@ -73,20 +78,22 @@ class UriConstructor extends ClassInstanceExpr, UriCreation {
   }
 }
 
+/** An URI create call */
 class UriCreate extends Call, UriCreation {
   UriCreate() {
     this.getCallee().getName() = "create" and
     this.getCallee().getDeclaringType() instanceof TypeUri
   }
 
-  override Expr hostArg() { result = this.getArgument(0) }
+  override Expr getHostArg() { result = this.getArgument(0) }
 }
 
 /* An URL constructor expression */
 class UrlConstructor extends ClassInstanceExpr {
   UrlConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
 
-  Expr hostArg() {
+  /** Returns the host of the newly created URI. */
+  Expr getHostArg() {
     // URL(String spec)
     this.getNumArgument() = 1 and result = this.getArgument(0)
     or
@@ -104,6 +111,7 @@ class UrlConstructor extends ClassInstanceExpr {
     result = this.getArgument(1)
   }
 
+  /** Returns the expression which corresponds to the protocol of the url. */
   Expr protocolArg() {
     // In all cases except where the first parameter is a URL, the argument
     // containing the protocol is the first one, otherwise it is the second.
@@ -113,13 +121,15 @@ class UrlConstructor extends ClassInstanceExpr {
   }
 }
 
+/** Models the `openStream` method of `java.net.url`. */
 class UrlOpenStreamMethod extends Method {
   UrlOpenStreamMethod() {
     this.getDeclaringType() instanceof TypeUrl and
     this.getName() = "openStream"
   }
 }
 
+/** Models the `openConnection` method of `java.net.url`. */
 class UrlOpenConnectionMethod extends Method {
   UrlOpenConnectionMethod() {
     this.getDeclaringType() instanceof TypeUrl and