Add unsafe-deserialization support for Jabsorb

This is partly extracted from https://github.com/github/codeql/pull/5954
2025-12-21 19:26:31 +01:00 · 2021-08-04 15:35:50 +01:00
parent fe654dc8ee
commit 69549e9ce3
15 changed files with 887 additions and 31 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -15,7 +15,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+Jackson, Jabsorb and Java IO serialization through
+<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>

@@ -100,6 +101,10 @@ Blog posts by the developer of Jackson libraries:
 <a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
 <a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
 </li>
+<li>
+Jabsorb documentation on deserialization:
+<a href="https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/">Jabsorb JSON Serializer</a>.
+</li>
 </references>

 </qhelp>