hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Fix unsafe deserialization with JsonConvert.DeserializeObject

Browse Source 
Remove false positives when `JsonConvert.DeserializeObject` is called with not necessarily unsafe settings.
This commit is contained in:
Tamas Vajk
2022-08-11 10:57:04 +02:00
parent 6e6bd208b1
commit 7a406d8e41
3 changed files with 2 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
View File

@@ -889,7 +889,7 @@ private class YamlDotNetDeserializerDeserializeMethodSink extends ConstructorOrS
}
/** Newtonsoft.Json.JsonConvert */
private class NewtonsoftJsonConvertDeserializeObjectMethodSink extends ConstructorOrStaticMethodSink {
private class NewtonsoftJsonConvertDeserializeObjectMethodSink extends Sink {
NewtonsoftJsonConvertDeserializeObjectMethodSink() {
exists(MethodCall mc, Method m |
m = mc.getTarget() and

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs
View File

@@ -22,6 +22,6 @@ class Test
public static object Deserialize(TextBox data)
{
return JsonConvert.DeserializeObject(data.Text);
return JsonConvert.DeserializeObject(data.Text); // OK, not checking if JsonSerializerSettings is set globally with unsafe settings
}
}

12
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.expected
View File

@@ -1,33 +1,21 @@
edges
| ../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs:930:20:930:20 | 4 : Int32 | Test.cs:19:32:19:52 | access to constant Auto : Int32 |
| Test.cs:9:46:9:49 | access to parameter data : TextBox | Test.cs:9:46:9:54 | access to property Text |
| Test.cs:9:46:9:49 | access to parameter data : TextBox | Test.cs:9:46:9:54 | access to property Text |
| Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text |
| Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text |
| Test.cs:19:32:19:52 | access to constant Auto : Int32 | Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings |
| Test.cs:19:32:19:52 | access to constant Auto : TypeNameHandling | Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings |
| Test.cs:25:46:25:49 | access to parameter data : TextBox | Test.cs:25:46:25:54 | access to property Text |
| Test.cs:25:46:25:49 | access to parameter data : TextBox | Test.cs:25:46:25:54 | access to property Text |
nodes
| ../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.cs:930:20:930:20 | 4 : Int32 | semmle.label | 4 : Int32 |
| Test.cs:9:46:9:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:9:46:9:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:9:46:9:54 | access to property Text | semmle.label | access to property Text |
| Test.cs:9:46:9:54 | access to property Text | semmle.label | access to property Text |
| Test.cs:17:46:17:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:17:46:17:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:17:46:17:54 | access to property Text | semmle.label | access to property Text |
| Test.cs:17:46:17:54 | access to property Text | semmle.label | access to property Text |
| Test.cs:17:57:20:9 | object creation of type JsonSerializerSettings | semmle.label | object creation of type JsonSerializerSettings |
| Test.cs:19:32:19:52 | access to constant Auto : Int32 | semmle.label | access to constant Auto : Int32 |
| Test.cs:19:32:19:52 | access to constant Auto : TypeNameHandling | semmle.label | access to constant Auto : TypeNameHandling |
| Test.cs:25:46:25:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:25:46:25:49 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| Test.cs:25:46:25:54 | access to property Text | semmle.label | access to property Text |
| Test.cs:25:46:25:54 | access to property Text | semmle.label | access to property Text |
subpaths
#select
| Test.cs:9:46:9:54 | access to property Text | Test.cs:9:46:9:49 | access to parameter data : TextBox | Test.cs:9:46:9:54 | access to property Text | $@ flows to unsafe deserializer. | Test.cs:9:46:9:49 | access to parameter data : TextBox | User-provided data |
| Test.cs:17:46:17:54 | access to property Text | Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text | $@ flows to unsafe deserializer. | Test.cs:17:46:17:49 | access to parameter data : TextBox | User-provided data |
| Test.cs:17:46:17:54 | access to property Text | Test.cs:17:46:17:49 | access to parameter data : TextBox | Test.cs:17:46:17:54 | access to property Text | $@ flows to unsafe deserializer. | Test.cs:17:46:17:49 | access to parameter data : TextBox | User-provided data |
| Test.cs:25:46:25:54 | access to property Text | Test.cs:25:46:25:49 | access to parameter data : TextBox | Test.cs:25:46:25:54 | access to property Text | $@ flows to unsafe deserializer. | Test.cs:25:46:25:49 | access to parameter data : TextBox | User-provided data |