Removed fromSource() check in looksLikeResolveClassStep()

2025-12-21 19:26:31 +01:00 · 2021-06-23 10:48:50 +02:00
parent c98f1a479e
commit 09ae779b21
63 changed files with 2 additions and 198 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -76,7 +76,6 @@ SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
 <li>
-<<<<<<< HEAD
 Hessian deserialization and related gadget chains:
 <a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
 </li>
@@ -91,7 +90,8 @@ Remote code execution in JYaml library:
 <li>
 JsonIO deserialization vulnerabilities:
 <a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
-=======
+</li>
+<li>
 Research by Moritz Bechler:
 <a href="https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true">Java Unmarshaller Security - Turning your data into code execution</a>
 </li>
@@ -99,7 +99,6 @@ Research by Moritz Bechler:
 Blog posts by the developer of Jackson libraries:
 <a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
 <a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
->>>>>>> Added Jackson to UnsafeDeserialization.qhelp
 </li>
 </references>

--- a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml
@@ -1,28 +0,0 @@
---
-sourceLocationPrefix: "/media/i504100/Artem_Flash_1T/codeql-bounties/codeql-repo/java/ql/src"
-unicodeNewlines: false
-columnKind: "utf16"
-primaryLanguage: "java"
-inProgress:
-  primaryLanguage: "java"
-  installedExtractors:
-    cpp:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/cpp/"
-    csharp:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/csharp/"
-    csv:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/csv/"
-    go:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/go/"
-    html:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/html/"
-    java:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/java/"
-    javascript:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/javascript/"
-    properties:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/properties/"
-    python:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/python/"
-    xml:
-    - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/xml/"
--- a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log
@@ -1 +0,0 @@
-[2021-06-14 08:53:54] [javac-extractor-9926] [ERROR] 10 errors were reported by javac.
--- a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log
@@ -1,9 +0,0 @@
-[2021-06-14 08:53:53] [javac-extractor-9926] Starting extraction for:
-                                             sun.java.command=com.semmle.extractor.java.JavaExtractor --javacOptions -source 8 --strict-javac-errors --encoding UTF-8 --files SafeMacComparison.java UnsafeMacComparison.java
-                                             user.dir=/media/i504100/Artem_Flash_1T/codeql-bounties/codeql-repo/java/ql/src/experimental/Security/CWE/CWE-208
-[2021-06-14 08:53:54] [javac-extractor-9926] Javac init time: 0.6s
-[2021-06-14 08:53:54] [javac-extractor-9926] Javac attr time: 0.0s
-[2021-06-14 08:53:54] [javac-extractor-9926] Extractor time: 0.0s
-[2021-06-14 08:53:54] [javac-extractor-9926] Other time: 0.2s
-[2021-06-14 08:53:54] [javac-extractor-9926] Total time: 0.7s
-[2021-06-14 08:53:54] [javac-extractor-9926] [ERROR] 10 errors were reported by javac.
--- a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log
@@ -1,31 +0,0 @@
-[2021-06-14 08:53:53] [javac-output-9926] warning: [options] bootstrap class path not set in conjunction with -source 8
-[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:1: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926] public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception {
-[2021-06-14 08:53:53] [javac-output-9926]        ^
-[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:3: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256"));
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:4: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     byte[] actual = mac.doFinal(data);
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:5: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     return MessageDigest.isEqual(expected, actual);
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:6: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926] }
-[2021-06-14 08:53:53] [javac-output-9926] ^
-[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:1: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926] public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception {
-[2021-06-14 08:53:53] [javac-output-9926]        ^
-[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:3: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256"));
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:4: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     byte[] actual = mac.doFinal(data);
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:5: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926]     return Arrays.equals(expected, actual);
-[2021-06-14 08:53:53] [javac-output-9926]     ^
-[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:6: error: class, interface, or enum expected
-[2021-06-14 08:53:53] [javac-output-9926] }
-[2021-06-14 08:53:53] [javac-output-9926] ^
--- a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/trap/java/diagnostics/diagnostic.trap.gz
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/trap/java/diagnostics/diagnostic.trap.gz
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -281,7 +281,6 @@ private predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::N
  |
    m.getReturnType() instanceof JacksonTypeDescriptorType and
    m.getName().toLowerCase().regexpMatch("resolve|load|class|type") and
-    m.fromSource() and
    arg.getType() instanceof TypeString and
    arg = fromNode.asExpr() and
    ma = toNode.asExpr()
				`@@ -1 +0,0 @@`
				`[2021-06-14 08:53:54] [javac-extractor-9926] [ERROR] 10 errors were reported by javac.`