hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added SpringHttpInvokerUnsafeDeserialization.ql

Browse Source
This commit is contained in:
Artem Smotrakov
2021-02-21 19:45:12 +01:00
parent cea1049745
commit 476309af6d
1 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql Normal file
View File

@@ -0,0 +1,56 @@
/**
* @name Unsafe deserialization with spring's remote service exporters.
* @description Creating a bean based on RemoteInvocationSerializingExporter
* may lead to arbitrary code execution.
* @kind problem
* @problem.severity error
* @precision high
* @id java/spring-exporter-unsafe-deserialization
* @tags security
* external/cwe/cwe-502
*/
import java
/**
* Holds if `method` initializes a bean.
*/
private predicate createsBean(Method method) {
method.hasAnnotation("org.springframework.context.annotation", "Bean")
}
/**
* Holds if `type` is `RemoteInvocationSerializingExporter`.
*/
private predicate isRemoteInvocationSerializingExporter(RefType type) {
type.hasQualifiedName("org.springframework.remoting.rmi", "RemoteInvocationSerializingExporter")
}
/**
* Holds if `method` returns an object that extends `RemoteInvocationSerializingExporter`.
*/
private predicate returnsRemoteInvocationSerializingExporter(Method method) {
isRemoteInvocationSerializingExporter(method.getReturnType()) or
isRemoteInvocationSerializingExporter(method.getReturnType().(RefType).getASupertype*())
}
/**
* Holds if `method` belongs to a Spring configuration.
*/
private predicate isInConfiguration(Method method) {
method.getDeclaringType().hasAnnotation("org.springframework.context.annotation", "Configuration")
}
/**
* Holds if `method` initializes a bean that is based on `RemoteInvocationSerializingExporter`.
*/
private predicate createsRemoteInvocationSerializingExporterBean(Method method) {
isInConfiguration(method) and
createsBean(method) and
returnsRemoteInvocationSerializingExporter(method)
}
from Method method
where createsRemoteInvocationSerializingExporterBean(method)
select method,
"Unasafe deserialization in a remote service exporter in '" + method.getName() + "' method"