Java: move UnsafeDeserialization.qll to standard library location

2025-12-22 03:36:30 +01:00 · 2019-10-30 11:18:36 -04:00
parent ecd4c08cb4
commit 8620b0513e
2 changed files with 1 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -12,7 +12,7 @@

 import java
 import semmle.code.java.dataflow.FlowSources
-import UnsafeDeserialization
+import semmle.code.java.security.UnsafeDeserialization
 import DataFlow::PathGraph

 class UnsafeDeserializationConfig extends TaintTracking::Configuration {
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qll
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qll
@@ -1,76 +0,0 @@
-import semmle.code.java.frameworks.Kryo
-import semmle.code.java.frameworks.XStream
-import semmle.code.java.frameworks.SnakeYaml
-
-class ObjectInputStreamReadObjectMethod extends Method {
-  ObjectInputStreamReadObjectMethod() {
-    this.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.io", "ObjectInputStream") and
-    (this.hasName("readObject") or this.hasName("readUnshared"))
-  }
-}
-
-class XMLDecoderReadObjectMethod extends Method {
-  XMLDecoderReadObjectMethod() {
-    this.getDeclaringType().hasQualifiedName("java.beans", "XMLDecoder") and
-    this.hasName("readObject")
-  }
-}
-
-class SafeXStream extends DataFlow2::Configuration {
-  SafeXStream() { this = "UnsafeDeserialization::SafeXStream" }
-
-  override predicate isSource(DataFlow::Node src) {
-    any(XStreamEnableWhiteListing ma).getQualifier().(VarAccess).getVariable().getAnAccess() = src
-          .asExpr()
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getQualifier() and
-      ma.getMethod() instanceof XStreamReadObjectMethod
-    )
-  }
-}
-
-class SafeKryo extends DataFlow2::Configuration {
-  SafeKryo() { this = "UnsafeDeserialization::SafeKryo" }
-
-  override predicate isSource(DataFlow::Node src) {
-    any(KryoEnableWhiteListing ma).getQualifier().(VarAccess).getVariable().getAnAccess() = src
-          .asExpr()
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getQualifier() and
-      ma.getMethod() instanceof KryoReadObjectMethod
-    )
-  }
-}
-
-predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
-  exists(Method m | m = ma.getMethod() |
-    m instanceof ObjectInputStreamReadObjectMethod and
-    sink = ma.getQualifier()
-    or
-    m instanceof XMLDecoderReadObjectMethod and
-    sink = ma.getQualifier()
-    or
-    m instanceof XStreamReadObjectMethod and
-    sink = ma.getAnArgument() and
-    not exists(SafeXStream sxs | sxs.hasFlowToExpr(ma.getQualifier()))
-    or
-    m instanceof KryoReadObjectMethod and
-    sink = ma.getAnArgument() and
-    not exists(SafeKryo sk | sk.hasFlowToExpr(ma.getQualifier()))
-    or
-    ma instanceof UnsafeSnakeYamlParse and
-    sink = ma.getArgument(0)
-  )
-}
-
-class UnsafeDeserializationSink extends DataFlow::ExprNode {
-  UnsafeDeserializationSink() { unsafeDeserialization(_, this.getExpr()) }
-
-  MethodAccess getMethodAccess() { unsafeDeserialization(result, this.getExpr()) }
-}