Better looksLikeResolveClassStep() predicate

2026-04-29 10:45:15 +02:00 · 2021-07-30 09:28:03 +02:00
parent 1d3eb570bf
commit a4b0041120
4 changed files with 19 additions and 8 deletions
--- a/java/ql/test/query-tests/security/CWE-502/JacksonTest.java
+++ b/java/ql/test/query-tests/security/CWE-502/JacksonTest.java
@@ -1,5 +1,6 @@
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
@@ -179,12 +180,12 @@ class UnsafeCatDeserialization {
            String data = parts[0];
            String type = parts[1];
            ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(data, resolveTypeImpl(type)); // $unsafeDeserialization
+            mapper.readValue(data, resolveImpl(type, mapper)); // $unsafeDeserialization
        });
    }

-    private static Class resolveTypeImpl(String type) throws Exception {
-        return Class.forName(type);
+    private static JavaType resolveImpl(String type, ObjectMapper mapper) throws Exception {
+        return mapper.constructType(Class.forName(type));
    }
 }

--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JavaType.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JavaType.java
@@ -0,0 +1,3 @@
+package com.fasterxml.jackson.databind;
+
+public class JavaType {}
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
@@ -3,6 +3,7 @@ package com.fasterxml.jackson.databind;
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.TreeNode;
 import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
+import java.lang.reflect.Type;
 import java.io.*;
 import java.util.*;

@@ -54,6 +55,10 @@ public class ObjectMapper {
    return null;
  }

+  public <T> T readValue(String content, JavaType valueType) {
+    return null;
+  }
+
  public <T> MappingIterator<T> readValues(JsonParser p, Class<T> valueType) {
    return null;
  }
@@ -65,4 +70,8 @@ public class ObjectMapper {
  public JsonNode readTree(String content) {
    return null;
  }
+
+  public JavaType constructType(Type t) {
+    return null;
+  }
 }