mirror of
https://github.com/github/codeql.git
synced 2026-02-28 12:53:49 +01:00
Java: Add support for FastJson in unsafe deserialization.
This commit is contained in:
50
java/ql/src/semmle/code/java/frameworks/FastJson.qll
Normal file
50
java/ql/src/semmle/code/java/frameworks/FastJson.qll
Normal file
@@ -0,0 +1,50 @@
|
||||
/**
|
||||
* Provides classes and predicates for working with the FastJson framework.
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
* The class `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
|
||||
*/
|
||||
class FastJson extends RefType {
|
||||
FastJson() {
|
||||
this.hasQualifiedName("com.alibaba.fastjson", "JSON") or
|
||||
this.hasQualifiedName("com.alibaba.fastjson", "JSONObject")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A FastJson parse method. This is either `parse` or `parseObject` on either
|
||||
* `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
|
||||
*/
|
||||
class FastJsonParseMethod extends Method {
|
||||
FastJsonParseMethod() {
|
||||
this.getDeclaringType() instanceof FastJson and
|
||||
this.hasName(["parse", "parseObject"])
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `ParserConfig.setSafeMode`.
|
||||
*/
|
||||
class FastJsonSetSafeMode extends MethodAccess {
|
||||
FastJsonSetSafeMode() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.hasName("setSafeMode") and
|
||||
m.getDeclaringType().hasQualifiedName("com.alibaba.fastjson.parser", "ParserConfig")
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the constant value passed to this call, if any. */
|
||||
boolean getMode() { result = this.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is some call to `ParserConfig.setSafeMode` that does not
|
||||
* explicitly disable safe mode.
|
||||
*/
|
||||
predicate fastJsonLooksSafe() {
|
||||
exists(FastJsonSetSafeMode setsafe | not setsafe.getMode() = false)
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
import semmle.code.java.frameworks.Kryo
|
||||
import semmle.code.java.frameworks.XStream
|
||||
import semmle.code.java.frameworks.SnakeYaml
|
||||
import semmle.code.java.frameworks.FastJson
|
||||
import semmle.code.java.frameworks.apache.Lang
|
||||
|
||||
class ObjectInputStreamReadObjectMethod extends Method {
|
||||
@@ -77,6 +78,10 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
|
||||
or
|
||||
ma instanceof UnsafeSnakeYamlParse and
|
||||
sink = ma.getArgument(0)
|
||||
or
|
||||
ma.getMethod() instanceof FastJsonParseMethod and
|
||||
not fastJsonLooksSafe() and
|
||||
sink = ma.getArgument(0)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user