Modify ql

2025-12-22 03:36:30 +01:00 · 2021-05-14 18:17:05 +08:00
parent 12f47bcf24
commit 60fc607449
9 changed files with 139 additions and 119 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -24,28 +24,14 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {

  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof JsonReader and
      cie.getArgument(0) = prod.asExpr() and
      cie = succ.asExpr() and
-      not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
-    )
-    or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof YamlReader and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
-    )
-    or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof UnSafeHessianInput and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
-    )
-    or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof BurlapInput and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
    )
    or
    exists(MethodAccess ma |
@@ -54,6 +40,20 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
      ma.getQualifier() = succ.asExpr()
    )
  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    )
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf