Added sinks for RmiBasedExporter and HessianExporter

2026-05-05 05:35:13 +02:00 · 2021-06-23 09:53:47 +02:00
parent fa215bcda5
commit 14e724bce6
10 changed files with 80 additions and 21 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java
@@ -2,12 +2,32 @@ import org.springframework.boot.SpringBootConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.remoting.caucho.HessianServiceExporter;
 import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter;
+import org.springframework.remoting.rmi.RmiServiceExporter;

@Configuration
 public class SpringExporterUnsafeDeserialization {

+    @Bean(name = "/unsafeRmiServiceExporter")
+    RmiServiceExporter unsafeRmiServiceExporter() {
+        RmiServiceExporter exporter = new RmiServiceExporter();
+        exporter.setServiceInterface(AccountService.class);
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceName(AccountService.class.getSimpleName());
+        exporter.setRegistryPort(1099); 
+        return exporter;
+    }
+
+    @Bean(name = "/unsafeHessianServiceExporter")
+    HessianServiceExporter unsafeHessianServiceExporter() {
+        HessianServiceExporter exporter = new HessianServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+
    @Bean(name = "/unsafeHttpInvokerServiceExporter")
    HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.expected
@@ -1,4 +1,6 @@
-| SpringExporterUnsafeDeserialization.java:12:32:12:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
-| SpringExporterUnsafeDeserialization.java:20:41:20:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
-| SpringExporterUnsafeDeserialization.java:36:32:36:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
-| SpringExporterUnsafeDeserialization.java:48:32:48:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:14:24:14:47 | unsafeRmiServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeRmiServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:24:28:24:55 | unsafeHessianServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHessianServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:32:32:32:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:40:41:40:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
+| SpringExporterUnsafeDeserialization.java:56:32:56:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:68:32:68:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.expected
@@ -1,2 +1,4 @@
 | beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking' |
 | beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter' |
+| beans.xml:20:5:24:12 | org.springframework.remoting.rmi.RmiServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.rmi.RmiServiceExporter' |
+| beans.xml:26:5:29:12 | org.springframework.remoting.caucho.HessianServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.caucho.HessianServiceExporter' |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml
@@ -16,4 +16,15 @@
        <property name="service" ref="anotherBookingService"/>
        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
    </bean>
+
+    <bean class="org.springframework.remoting.rmi.RmiServiceExporter">
+        <property name="service" ref="oneMoreBookingService"/>
+        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
+        <property name="registryPort" value="1199"/>
+    </bean>
+
+    <bean class="org.springframework.remoting.caucho.HessianServiceExporter">
+        <property name="service" ref="oneMoreBookingService"/>
+        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
+    </bean>
 </beans>