Merge pull request #3215 from aibaars/validating-object-input

Java: teach UnsafeDeserialization about ValidatingObjectInputStream

java/ql/test/library-tests/UnsafeDeserialization/Test.java

@@ -0,0 +1,12 @@
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import org.apache.commons.io.serialization.ValidatingObjectInputStream;
+
+class Test {
+	public void test() throws IOException, ClassNotFoundException {
+		ObjectInputStream objectStream = new ObjectInputStream(null);
+		ObjectInputStream validating = new ValidatingObjectInputStream(null);
+		objectStream.readObject();
+		validating.readObject();
+	}
+}

java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.expected

@@ -0,0 +1 @@
+| Test.java:9:3:9:27 | readObject(...) | ObjectInputStream |

java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql

@@ -0,0 +1,6 @@
+import default
+import semmle.code.java.security.UnsafeDeserialization
+
+from Method m, MethodAccess ma
+where ma.getMethod() = m and unsafeDeserialization(ma, _)
+select ma, m.getDeclaringType().getName()