hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove double spaces from qhelp

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-05-07 10:42:50 +01:00
parent e6f587e761
commit 7aa3fd859a
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
View File

@@ -5,15 +5,15 @@
<p>
Deserializing untrusted data using any deserialization framework that
allows the construction of arbitrary serializable objects is easily exploitable
and in many cases allows an attacker to execute arbitrary code. Even before a
and in many cases allows an attacker to execute arbitrary code. Even before a
deserialized object is returned to the caller of a deserialization method a lot
of code may have been executed, including static initializers, constructors,
and finalizers. Automatic deserialization of fields means that an attacker may
and finalizers. Automatic deserialization of fields means that an attacker may
craft a nested combination of objects on which the executed initialization code
may have unforeseen effects, such as the execution of arbitrary code.
</p>
<p>
There are many different serialization frameworks. This query currently
There are many different serialization frameworks. This query currently
supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through
<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
@@ -22,9 +22,9 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro
<recommendation>
<p>
Avoid deserialization of untrusted data if at all possible. If the
Avoid deserialization of untrusted data if at all possible. If the
architecture permits it then use other formats instead of serialized objects,
for example JSON or XML. However, these formats should not be deserialized
for example JSON or XML. However, these formats should not be deserialized
into complex objects because this provides further opportunities for attack.
For example, XML-based deserialization attacks
are possible through libraries such as XStream and XmlDecoder.
@@ -43,7 +43,7 @@ Recommendations specific to particular frameworks supported by this query:
<li><b>Recommendation</b>: Call <code>com.alibaba.fastjson.parser.ParserConfig#setSafeMode</code> with the argument <code>true</code> before deserializing untrusted data.</li>
</ul>
<p></p>
<p><b>FasterXML</b> - <code>com.fasterxml.jackson.core:jackson-databind</code></p>
<p><b>FasterXML</b> - <code>com.fasterxml.jackson.core:jackson-databind</code></p>
<ul>
<li><b>Secure by Default</b>: Yes</li>
<li><b>Recommendation</b>: Don't call <code>com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping</code> and don't annotate any object fields with <code>com.fasterxml.jackson.annotation.JsonTypeInfo</code> passing either the <code>CLASS</code> or <code>MINIMAL_CLASS</code> values to the annotation.
@@ -56,16 +56,16 @@ Recommendations specific to particular frameworks supported by this query:
<li><b>Recommendation</b>: Don't call <code>com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired</code> with the argument <code>false</code> on any <code>Kryo</code> instance that may deserialize untrusted data.</li>
</ul>
<p></p>
<p><b>ObjectInputStream</b> - <code>Java Standard Library</code></p>
<p><b>ObjectInputStream</b> - <code>Java Standard Library</code></p>
<ul>
<li><b>Secure by Default</b>: No</li>
<li><b>Recommendation</b>: Use a validating input stream, such as <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code>.</li>
<li><b>Recommendation</b>: Use a validating input stream, such as <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code>.</li>
</ul>
<p></p>
<p><b>SnakeYAML</b> - <code>org.yaml:snakeyaml</code></p>
<ul>
<li><b>Secure by Default</b>: As of version 2.0.</li>
<li><b>Recommendation</b>: For versions before 2.0, pass an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> to <code>org.yaml.snakeyaml.Yaml</code>'s constructor before using it to deserialize untrusted data.</li>
<li><b>Recommendation</b>: For versions before 2.0, pass an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> to <code>org.yaml.snakeyaml.Yaml</code>'s constructor before using it to deserialize untrusted data.</li>
</ul>
<p></p>
<p><b>XML Decoder</b> - <code>Standard Java Library</code></p>