Azure python sdk url summary upstream

[bdrodes]

• Added MaD sinks for URLs in the azure SDK, labeled as 'ssrf'
• Updated HTTP request clients to use 'ssrf' MaD

[Copilot]

Pull Request Overview

This PR adds Server-Side Request Forgery (SSRF) modeling for the Azure Python SDK by introducing MaD (Models as Data) sinks and updating HTTP request clients to recognize SSRF vulnerabilities. This enables CodeQL to detect when user input can control URLs passed to Azure SDK methods.

• Added SSRF sink modeling framework for MaD-based HTTP requests
• Created comprehensive Azure SDK models for KeyVault and Storage services
• Added test coverage for Azure client SSRF scenarios

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
python/ql/lib/semmle/python/frameworks/SSRFSink.qll	New framework for handling SSRF sinks through MaD models
python/ql/lib/semmle/python/frameworks/Azure.Storage.model.yml	MaD definitions for Azure Storage SDK SSRF sinks
python/ql/lib/semmle/python/frameworks/Azure.Keyvault.model.yml	MaD definitions for Azure KeyVault SDK SSRF sinks
python/ql/lib/semmle/python/Frameworks.qll	Import statement for new SSRFSink framework
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py	Test cases for Azure SDK SSRF detection
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected	Expected results for partial SSRF tests
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected	Expected results for full SSRF tests
python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models	Release notes for the changes

[owen-mc]

I'm not familiar with the python library in general, but I can review the use of models-as-data.

[owen-mc]

Looking at the other test failures (which aren't related to validation of sink kinds):

• python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref and python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref are failing because of some line number changes - you should check if the new results make sense, and if so accept them.
• another test is failing for unrelated reasons. I've made a PR to fix it, which should be merged soon.

[bdrodes]

Looking at the other test failures (which aren't related to validation of sink kinds):

• python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref and python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref are failing because of some line number changes - you should check if the new results make sense, and if so accept them.
• another test is failing for unrelated reasons. I've made a PR to fix it, which should be merged soon.

Fixed.

[owen-mc]

A few more thoughts.

[owen-mc]

This file doesn't really match the way the rest of the repo is structured. Normally this kind of code would go in python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll, but then it would only affect just the two SSRF queries. Since these models are principally adding to Http::Client::Request::Range, and only indirectly becoming SSRF sinks, it might make more sense to put them somewhere like python/ql/lib/semmle/python/Concepts.qll, maybe just below line 1658 import ConceptsShared::Http::Client as Client.

[owen-mc]

(And I would name the class HttpClientRequestFromModel.)

[yoff]

Indeed, this is my only remaining issue. There is also the philosophical question of whether all SSRF sinks really are client requests. If we had MaD for concepts, we could do this the other way round: Make all these models be client requests (with appropriate frameworks and certificate validation) and then they would be imported into the query automatically (and the query would decide that all client requests are SSRF sinks).

But for now, following the suggestion with HttpClientRequestFromModel would be ok.

[bdrodes]

I've just pushed a change for this. The class was moved and renamed as suggested. I did remove it from a module though. Let me know how this looks.