Java: Add JMS sink to java/unsafe-deserialization

2026-04-27 09:45:15 +02:00 · 2023-10-26 16:46:19 +02:00
parent b1d4ca505d
commit 7af3d239ab
5 changed files with 29 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -224,6 +224,10 @@ predicate unsafeDeserialization(MethodCall ma, Expr sink) {
    m instanceof GsonDeserializeMethod and
    sink = ma.getArgument(0) and
    UnsafeTypeFlow::flowToExpr(ma.getArgument(1))
+    or
+    m.getASourceOverriddenMethod*()
+        .hasQualifiedName(["javax", "jakarta"] + ".jms", "ObjectMessage", "getObject") and
+    sink = ma.getQualifier().getUnderlyingExpr()
  )
 }