hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Adjust reference to static method and add test.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2020-10-15 15:14:33 +02:00
parent 80ee92ae97
commit 4be731d2ab
11 changed files with 348 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/semmle/code/java/frameworks/FastJson.qll
View File

@@ -5,18 +5,14 @@
import java
/**
* The class `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
* The class `com.alibaba.fastjson.JSON`.
*/
class FastJson extends RefType {
FastJson() {
this.hasQualifiedName("com.alibaba.fastjson", "JSON") or
this.hasQualifiedName("com.alibaba.fastjson", "JSONObject")
}
FastJson() { this.hasQualifiedName("com.alibaba.fastjson", "JSON") }
}
/**
* A FastJson parse method. This is either `parse` or `parseObject` on either
* `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
* A FastJson parse method. This is either `JSON.parse` or `JSON.parseObject`.
*/
class FastJsonParseMethod extends Method {
FastJsonParseMethod() {

33
java/ql/test/query-tests/security/CWE-502/B.java Normal file
View File

@@ -0,0 +1,33 @@
import java.io.*;
import java.net.Socket;
import com.alibaba.fastjson.JSON;
public class B {
public Object deserializeJson1(Socket sock) {
InputStream inputStream = sock.getInputStream();
return JSON.parseObject(inputStream, null); // unsafe
}
public Object deserializeJson2(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
return JSON.parse(bytes); // unsafe
}
public Object deserializeJson3(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
String s = new String(bytes);
return JSON.parseObject(s); // unsafe
}
public Object deserializeJson4(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
String s = new String(bytes);
return JSON.parse(s); // unsafe
}
}

16
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
View File

@@ -16,6 +16,10 @@ edges
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input |
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes |
| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s |
| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
nodes
| A.java:13:31:13:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -42,6 +46,14 @@ nodes
| A.java:73:28:73:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:74:24:74:28 | input | semmle.label | input |
| A.java:75:24:75:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:15:23:15:27 | bytes | semmle.label | bytes |
| B.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:23:29:23:29 | s | semmle.label | s |
| B.java:27:31:27:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:31:23:31:23 | s | semmle.label | s |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
| TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
#select
@@ -62,4 +74,8 @@ nodes
| A.java:73:17:73:56 | parse(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| A.java:74:12:74:38 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| A.java:75:12:75:61 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| B.java:8:12:8:46 | parseObject(...) | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | Unsafe deserialization of $@. | B.java:7:31:7:51 | getInputStream(...) | user input |
| B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
| B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
| B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |

2
java/ql/test/query-tests/security/CWE-502/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74

210
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java Normal file
View File

@@ -0,0 +1,210 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.util.*;
import com.alibaba.fastjson.parser.*;
import com.alibaba.fastjson.parser.deserializer.ParseProcess;
public abstract class JSON {
public static Object parse(String text) {
return null;
}
public static Object parse(String text, ParserConfig config) {
return null;
}
public static Object parse(String text, ParserConfig config, Feature... features) {
return null;
}
public static Object parse(String text, ParserConfig config, int features) {
return null;
}
public static Object parse(String text, int features) {
return null;
}
public static Object parse(byte[] input, Feature... features) {
return null;
}
public static Object parse(byte[] input, int off, int len, CharsetDecoder charsetDecoder, Feature... features) {
return null;
}
public static Object parse(byte[] input, int off, int len, CharsetDecoder charsetDecoder, int features) {
return null;
}
public static Object parse(String text, Feature... features) {
return null;
}
public static JSONObject parseObject(String text, Feature... features) {
return null;
}
public static JSONObject parseObject(String text) {
return null;
}
public static <T> T parseObject(String text, TypeReference<T> type, Feature... features) {
return null;
}
public static <T> T parseObject(String json, Class<T> clazz, Feature... features) {
return null;
}
public static <T> T parseObject(String text, Class<T> clazz, ParseProcess processor, Feature... features) {
return null;
}
public static <T> T parseObject(String json, Type type, Feature... features) {
return null;
}
public static <T> T parseObject(String input, Type clazz, ParseProcess processor, Feature... features) {
return null;
}
public static <T> T parseObject(String input, Type clazz, int featureValues, Feature... features) {
return null;
}
public static <T> T parseObject(String input, Type clazz, ParserConfig config, Feature... features) {
return null;
}
public static <T> T parseObject(String input, Type clazz, ParserConfig config, int featureValues,
Feature... features) {
return null;
}
public static <T> T parseObject(String input, Type clazz, ParserConfig config, ParseProcess processor,
int featureValues, Feature... features) {
return null;
}
public static <T> T parseObject(byte[] bytes, Type clazz, Feature... features) {
return null;
}
public static <T> T parseObject(byte[] bytes, int offset, int len, Charset charset, Type clazz, Feature... features) {
return null;
}
public static <T> T parseObject(byte[] bytes,
Charset charset,
Type clazz,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) {
return null;
}
public static <T> T parseObject(byte[] bytes, int offset, int len,
Charset charset,
Type clazz,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) {
return null;
}
public static <T> T parseObject(byte[] input,
int off,
int len,
CharsetDecoder charsetDecoder,
Type clazz,
Feature... features) {
return null;
}
public static <T> T parseObject(char[] input, int length, Type clazz, Feature... features) {
return null;
}
public static <T> T parseObject(InputStream is,
Type type,
Feature... features) throws IOException {
return null;
}
public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
Feature... features) throws IOException {
return null;
}
public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
ParserConfig config,
Feature... features) throws IOException {
return null;
}
public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) throws IOException {
return null;
}
public static <T> T parseObject(String text, Class<T> clazz) {
return null;
}
public static JSONArray parseArray(String text) {
return null;
}
public static JSONArray parseArray(String text, ParserConfig parserConfig) {
return null;
}
public static <T> List<T> parseArray(String text, Class<T> clazz) {
return null;
}
public static <T> List<T> parseArray(String text, Class<T> clazz, ParserConfig config) {
return null;
}
public static List<Object> parseArray(String text, Type[] types) {
return null;
}
public static List<Object> parseArray(String text, Type[] types, ParserConfig config) {
return null;
}
}

19
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSONArray.java Normal file
View File

@@ -0,0 +1,19 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;
public class JSONArray extends JSON {
}

19
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSONObject.java Normal file
View File

@@ -0,0 +1,19 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;
public class JSONObject extends JSON {
}

4
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/TypeReference.java Normal file
View File

@@ -0,0 +1,4 @@
package com.alibaba.fastjson;
public class TypeReference<T> {
}

19
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/parser/Feature.java Normal file
View File

@@ -0,0 +1,19 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson.parser;
public enum Feature {
}

20
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/parser/ParserConfig.java Normal file
View File

@@ -0,0 +1,20 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson.parser;
public class ParserConfig {
public void setSafeMode(boolean safeMode) { }
}

4
java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/parser/deserializer/ParseProcess.java Normal file
View File

@@ -0,0 +1,4 @@
package com.alibaba.fastjson.parser.deserializer;
public interface ParseProcess {
}