add change notes

2026-04-30 11:15:13 +02:00 · 2021-05-17 14:52:05 +08:00
parent 60fc607449
commit 58d774ae85
5 changed files with 13 additions and 32 deletions
--- a/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
+++ b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `HessianBurlap`, `Castor`, `Burlap` deserialization.
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -14,7 +14,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, Hessian, JsonIO, YAMLBeans, Castor, Burlap, 
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
 and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
--- a/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
+++ b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
@@ -5,7 +5,7 @@
 import java

 /**
- * The class `com.caucho.hessian.io.AbstractHessianInput` or `com.alibaba.com.caucho.hessian.io.Hessian2StreamingInput`.
+ * The classes `[com.alibaba.]com.caucho.hessian.io.AbstractHessianInput` or `[com.alibaba.]com.caucho.hessian.io.Hessian2StreamingInput`.
 */
 class UnsafeHessianInput extends RefType {
  UnsafeHessianInput() {
--- a/java/ql/src/semmle/code/java/frameworks/JYaml.qll
+++ b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
@@ -5,37 +5,18 @@
 import java

 /**
- * The class `org.ho.yaml.Yaml`.
+ * The class `org.ho.yaml.Yaml` or `org.ho.yaml.YamlConfig`.
 */
-class JYaml extends RefType {
-  JYaml() { this.hasQualifiedName("org.ho.yaml", "Yaml") }
+class JYamlLoader extends RefType {
+  JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }
 }

 /**
- * A JYaml unsafe load method. This is either `YAML.load` or
- * `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
+ * A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.
 */
-class JYamlUnsafeLoadMethod extends Method {
-  JYamlUnsafeLoadMethod() {
-    this.getDeclaringType() instanceof JYaml and
-    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
-  }
-}
-
-/**
- * The class `org.ho.yaml.YamlConfig`.
- */
-class JYamlConfig extends RefType {
-  JYamlConfig() { this.hasQualifiedName("org.ho.yaml", "YamlConfig") }
-}
-
-/**
- * A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
- * `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
- */
-class JYamlConfigUnsafeLoadMethod extends Method {
-  JYamlConfigUnsafeLoadMethod() {
-    this.getDeclaringType() instanceof JYamlConfig and
+class JYamlLoaderUnsafeLoadMethod extends Method {
+  JYamlLoaderUnsafeLoadMethod() {
+    this.getDeclaringType() instanceof JYamlLoader and
    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
  }
 }
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -87,10 +87,7 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
    not fastJsonLooksSafe() and
    sink = ma.getArgument(0)
    or
-    ma.getMethod() instanceof JYamlUnsafeLoadMethod and
-    sink = ma.getArgument(0)
-    or
-    ma.getMethod() instanceof JYamlConfigUnsafeLoadMethod and
+    ma.getMethod() instanceof JYamlLoaderUnsafeLoadMethod and
    sink = ma.getArgument(0)
    or
    ma.getMethod() instanceof JsonIoJsonToJavaMethod and