Merge pull request #3215 from aibaars/validating-object-input

Java: teach UnsafeDeserialization about ValidatingObjectInputStream
2026-03-01 05:13:41 +01:00 · 2020-05-07 14:57:50 +02:00
parent 964b8478dc 39e652b26b
commit 2561ba82db
4 changed files with 27 additions and 1 deletions
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -51,7 +51,14 @@ class SafeKryo extends DataFlow2::Configuration {
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
  exists(Method m | m = ma.getMethod() |
    m instanceof ObjectInputStreamReadObjectMethod and
-    sink = ma.getQualifier()
+    sink = ma.getQualifier() and
+    not exists(DataFlow::ExprNode node |
+      node.getExpr() = sink and
+      node
+          .getTypeBound()
+          .(RefType)
+          .hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
+    )
    or
    m instanceof XMLDecoderReadObjectMethod and
    sink = ma.getQualifier()