Add support for the Flexjson framework to the unsafe-deserialization query

2025-12-24 04:36:35 +01:00 · 2021-08-09 19:06:45 +01:00
parent 0ebbb333ba
commit 9b488207eb
11 changed files with 423 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -15,7 +15,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson, Jabsorb, Jodd JSON and Java IO serialization through
+Jackson, Jabsorb, Jodd JSON, Flexjson and Java IO serialization through
 <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
@@ -109,6 +109,10 @@ Jabsorb documentation on deserialization:
 Jodd JSON documentation on deserialization:
 <a href="https://json.jodd.org/parser">JoddJson Parser</a>.
 </li>
+<li>
+RCE in Flexjson:
+<a href="https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html">Flexjson deserialization</a>.
+</li>
 </references>

 </qhelp>