hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add UnsafeDeserialization

Browse Source
This commit is contained in:
haby0
2021-05-12 12:18:26 +08:00
parent 0c724a8427
commit 12f47bcf24
38 changed files with 2054 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
View File

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
</p>
<p>
There are many different serialization frameworks. This query currently
supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
supports Kryo, XmlDecoder, XStream, SnakeYaml, Hessian, JsonIO, YAMLBeans, Castor, Burlap,
and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
</p>
</overview>
@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
SnakeYaml documentation on deserialization:
<a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
</li>
<li>
Hessian deserialization and related gadget chains:
<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
</li>
<li>
Castor and Hessian java deserialization vulnerabilities:
<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
</li>
<li>
Remote code execution in JYaml library:
<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
</li>
<li>
JsonIO deserialization vulnerabilities:
<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
</li>
</references>
</qhelp>

33
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
View File

@@ -21,6 +21,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
exists(ClassInstanceExpr cie |
cie.getConstructor().getDeclaringType() instanceof JsonReader and
cie.getArgument(0) = prod.asExpr() and
cie = succ.asExpr() and
not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
)
or
exists(ClassInstanceExpr cie |
cie.getConstructor().getDeclaringType() instanceof YamlReader and
cie.getArgument(0) = prod.asExpr() and
cie = succ.asExpr()
)
or
exists(ClassInstanceExpr cie |
cie.getConstructor().getDeclaringType() instanceof UnSafeHessianInput and
cie.getArgument(0) = prod.asExpr() and
cie = succ.asExpr()
)
or
exists(ClassInstanceExpr cie |
cie.getConstructor().getDeclaringType() instanceof BurlapInput and
cie.getArgument(0) = prod.asExpr() and
cie = succ.asExpr()
)
or
exists(MethodAccess ma |
ma.getMethod() instanceof BurlapInputInitMethod and
ma.getArgument(0) = prod.asExpr() and
ma.getQualifier() = succ.asExpr()
)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf