Java: Add JMS sink to java/unsafe-deserialization

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -15,7 +15,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson, Jabsorb, Jodd JSON, Flexjson, Gson and Java IO serialization through
+Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through
 <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
@@ -74,6 +74,12 @@ Recommendations specific to particular frameworks supported by this query:
         <li><b>Recommendation</b>: Do not use with untrusted user input.</li>
     </ul>
 <p></p>
+<p><b>ObjectMesssage</b> - <code>Java EE/Jakarta EE</code></p>
+    <ul>
+        <li><b>Secure by Default</b>: Depends on the JMS implementation.</li>
+        <li><b>Recommendation</b>: Do not use with untrusted user input.</li>
+    </ul>
+<p></p>
 </recommendation>
 
 <example>
@@ -158,6 +164,10 @@ RCE in Flexjson:
 Android Intent deserialization vulnerabilities with GSON parser:
 <a href="https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers">Insecure use of JSON parsers</a>.
 </li>
+<li>
+Research by Matthias Kaiser:
+<a href="https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf">Pwning Your Java Messaging With Deserialization Vulnerabilities</a>.
+</li>
 </references>
 
 </qhelp>

java/ql/src/change-notes/2023-10-26-jms-unsafe-deserialization.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/unsafe-deserialization` has been improved to detect insecure calls to `ObjectMessage.getObject` in JMS.