Merge pull request #3215 from aibaars/validating-object-input

Java: teach UnsafeDeserialization about ValidatingObjectInputStream

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll

@@ -51,7 +51,14 @@ class SafeKryo extends DataFlow2::Configuration {
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
-    sink = ma.getQualifier()
+    sink = ma.getQualifier() and
+    not exists(DataFlow::ExprNode node |
+      node.getExpr() = sink and
+      node
+          .getTypeBound()
+          .(RefType)
+          .hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
+    )
     or
     m instanceof XMLDecoderReadObjectMethod and
     sink = ma.getQualifier()

java/ql/test/library-tests/UnsafeDeserialization/Test.java

@@ -0,0 +1,12 @@
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import org.apache.commons.io.serialization.ValidatingObjectInputStream;
+
+class Test {
+	public void test() throws IOException, ClassNotFoundException {
+		ObjectInputStream objectStream = new ObjectInputStream(null);
+		ObjectInputStream validating = new ValidatingObjectInputStream(null);
+		objectStream.readObject();
+		validating.readObject();
+	}
+}

java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.expected

@@ -0,0 +1 @@
+| Test.java:9:3:9:27 | readObject(...) | ObjectInputStream |

java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql

@@ -0,0 +1,6 @@
+import default
+import semmle.code.java.security.UnsafeDeserialization
+
+from Method m, MethodAccess ma
+where ma.getMethod() = m and unsafeDeserialization(ma, _)
+select ma, m.getDeclaringType().getName()