hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-02 05:43:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add sink for ObjectInput.readObject to make test pass

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-07-11 10:23:41 +01:00
parent 34fae324a0
commit 8e4bd1a102
4 changed files with 78 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/semmle/code/java/JDK.qll
View File

@@ -211,6 +211,11 @@ class TypeObjectOutputStream extends RefType {
TypeObjectOutputStream() { this.hasQualifiedName("java.io", "ObjectOutputStream") }
}
/** The type `java.io.ObjectInput`. */
class TypeObjectInput extends RefType {
TypeObjectInput() { this.hasQualifiedName("java.io", "ObjectInput") }
}
/** The type `java.io.ObjectInputStream`. */
class TypeObjectInputStream extends RefType {
TypeObjectInputStream() { this.hasQualifiedName("java.io", "ObjectInputStream") }

19
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -23,10 +23,17 @@ private import semmle.code.java.frameworks.google.Gson
private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.Reflection
private class ObjectInputStreamReadObjectMethod extends Method {
ObjectInputStreamReadObjectMethod() {
private class ObjectInputReadObjectMethod extends Method {
ObjectInputReadObjectMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInput and
this.hasName("readObject")
}
}
private class ObjectInputStreamReadUnsharedMethod extends Method {
ObjectInputStreamReadUnsharedMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInputStream and
(this.hasName("readObject") or this.hasName("readUnshared"))
this.hasName("readUnshared")
}
}
@@ -147,7 +154,11 @@ private module SafeKryoFlow = DataFlow::Global<SafeKryoConfig>;
*/
predicate unsafeDeserialization(MethodCall ma, Expr sink) {
exists(Method m | m = ma.getMethod() |
m instanceof ObjectInputStreamReadObjectMethod and
m instanceof ObjectInputReadObjectMethod and
sink = ma.getQualifier() and
not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
or
m instanceof ObjectInputStreamReadUnsharedMethod and
sink = ma.getQualifier() and
not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
or