hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

new deserialization sink

Browse Source
This commit is contained in:
Alvaro Muñoz
2020-10-27 14:24:17 +01:00
parent 7544bc872a
commit a4a91eb1d2
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -414,6 +414,14 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
* `arg`th argument is tainted.
*/
private predicate taintPreservingArgumentToMethod(Method method, int arg) {
(
method.getDeclaringType().hasQualifiedName("org.apache.wicket.util.crypt", "Base64") and
(
method.getName().matches("decode%") and arg = 0 or
method.getName().matches("encode%") and arg = 0
)
)
or
(
method.getDeclaringType().hasQualifiedName("java.util", "Base64$Encoder") or
method.getDeclaringType().hasQualifiedName("java.util", "Base64$Decoder") or

10
java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
View File

@@ -10,3 +10,13 @@ class TypeApacheRandomStringUtils extends Class {
hasQualifiedName("org.apache.commons.lang3", "RandomStringUtils")
}
}
class MethodApacheSerializationUtilsDeserialize extends Method {
MethodApacheSerializationUtilsDeserialize() {
(
this.getDeclaringType().hasQualifiedName("org.apache.commons.lang", "SerializationUtils") or
this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "SerializationUtils")
) and
this.hasName("deserialize")
}
}

4
java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
View File

@@ -1,6 +1,7 @@
import semmle.code.java.frameworks.Kryo
import semmle.code.java.frameworks.XStream
import semmle.code.java.frameworks.SnakeYaml
import semmle.code.java.frameworks.apache.Lang
class ObjectInputStreamReadObjectMethod extends Method {
ObjectInputStreamReadObjectMethod() {
@@ -71,6 +72,9 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
sink = ma.getAnArgument() and
not exists(SafeKryo sk | sk.hasFlowToExpr(ma.getQualifier()))
or
m instanceof MethodApacheSerializationUtilsDeserialize and
sink = ma.getArgument(0)
or
ma instanceof UnsafeSnakeYamlParse and
sink = ma.getArgument(0)
)