mirror of
https://github.com/github/codeql.git
synced 2026-04-27 17:55:19 +02:00
Merge pull request #5260 from artem-smotrakov/spring-http-invoker
Java: Query for detecting unsafe deserialization with Spring exporters
This commit is contained in:
Anders Schack-Mulligen
@@ -0,0 +1,79 @@
|
||||
import org.springframework.boot.SpringBootConfiguration;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
|
||||
import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter;
|
||||
|
||||
@Configuration
|
||||
public class SpringExporterUnsafeDeserialization {
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
return exporter;
|
||||
}
|
||||
|
||||
@Bean(name = "/unsafeCustomeRemoteInvocationSerializingExporter")
|
||||
RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() {
|
||||
return new CustomeRemoteInvocationSerializingExporter();
|
||||
}
|
||||
|
||||
HttpInvokerServiceExporter notABean() {
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
return exporter;
|
||||
}
|
||||
}
|
||||
|
||||
@SpringBootApplication
|
||||
class SpringBootTestApplication {
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
return exporter;
|
||||
}
|
||||
}
|
||||
|
||||
@SpringBootConfiguration
|
||||
class SpringBootTestConfiguration {
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
return exporter;
|
||||
}
|
||||
}
|
||||
|
||||
class CustomeRemoteInvocationSerializingExporter extends RemoteInvocationSerializingExporter {}
|
||||
|
||||
class NotAConfiguration {
|
||||
|
||||
@Bean(name = "/notAnEndpoint")
|
||||
HttpInvokerServiceExporter notAnEndpoint() {
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
return exporter;
|
||||
}
|
||||
}
|
||||
|
||||
class AccountServiceImpl implements AccountService {
|
||||
|
||||
@Override
|
||||
public String echo(String data) {
|
||||
return data;
|
||||
}
|
||||
}
|
||||
|
||||
interface AccountService {
|
||||
String echo(String data);
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
| SpringExporterUnsafeDeserialization.java:12:32:12:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:20:41:20:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:36:32:36:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:48:32:48:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
|
||||
@@ -0,0 +1,2 @@
|
||||
| beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking' |
|
||||
| beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter' |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
|
||||
@@ -0,0 +1,19 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:context="http://www.springframework.org/schema/context"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
||||
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
|
||||
|
||||
<bean id="anotherBookingService" class="com.gypsyengineer.server.CabBookingServiceImpl"/>
|
||||
|
||||
<bean name="/unsafeBooking" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
|
||||
<property name="service" ref="anotherBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
</bean>
|
||||
|
||||
<bean class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
|
||||
<property name="service" ref="anotherBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
</bean>
|
||||
</beans>
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
|
||||
Reference in New Issue
Block a user