From aefd21075bd84ae292f1cd2b10c7ef3dbf3819ed Mon Sep 17 00:00:00 2001 From: Artem Smotrakov Date: Sat, 15 May 2021 11:37:59 +0200 Subject: [PATCH] Added tests for UnsafeDeserialization.ql and Jackson --- classes/AccountService.class | Bin 0 -> 186 bytes classes/AccountServiceImpl.class | Bin 0 -> 337 bytes classes/Action.class | Bin 0 -> 264 bytes classes/Cat.class | Bin 0 -> 263 bytes ...eRemoteInvocationSerializingExporter.class | Bin 0 -> 303 bytes classes/DomesticNumber.class | Bin 0 -> 194 bytes classes/Employee.class | Bin 0 -> 183 bytes classes/InternationalNumber.class | Bin 0 -> 225 bytes classes/JacksonTest.class | Bin 0 -> 1043 bytes classes/NonConstantTimeCheckOnSignature.class | Bin 0 -> 7481 bytes classes/NonConstantTimeCryptoComparison.class | Bin 0 -> 7481 bytes classes/NotAConfiguration.class | Bin 0 -> 744 bytes classes/NotConstantTimeCryptoComparison.class | Bin 0 -> 2097 bytes classes/Person.class | Bin 0 -> 587 bytes classes/PhoneNumber.class | Bin 0 -> 263 bytes classes/SaferCatDeserialization.class | Bin 0 -> 2174 bytes classes/SaferPersonDeserialization.class | Bin 0 -> 2634 bytes .../CWE/CWE-502/UnsafeDeserialization.md | 50 +++++ classes/SpringBootTestApplication.class | Bin 0 -> 867 bytes classes/SpringBootTestConfiguration.class | Bin 0 -> 857 bytes .../SpringExporterUnsafeDeserialization.class | Bin 0 -> 2020 bytes classes/Tag.class | Bin 0 -> 253 bytes classes/Task.class | Bin 0 -> 219 bytes classes/UnsafeCatDeserialization.class | Bin 0 -> 3285 bytes classes/UnsafeObjectAllocation.class | Bin 0 -> 2902 bytes classes/UnsafePersonDeserialization.class | Bin 0 -> 1713 bytes .../jackson/annotation/JsonTypeInfo$Id.class | Bin 0 -> 1389 bytes .../jackson/annotation/JsonTypeInfo.class | Bin 0 -> 658 bytes .../fasterxml/jackson/core/JsonFactory.class | Bin 0 -> 522 bytes .../jackson/core/JsonGenerator.class | Bin 0 -> 231 bytes .../fasterxml/jackson/core/JsonParser.class | Bin 0 -> 221 bytes .../com/fasterxml/jackson/core/TreeNode.class | Bin 0 -> 124 bytes .../fasterxml/jackson/databind/JsonNode.class | Bin 0 -> 431 bytes .../jackson/databind/MappingIterator.class | Bin 0 -> 783 bytes .../jackson/databind/ObjectMapper.class | Bin 0 -> 2589 bytes .../jackson/databind/ObjectReader.class | Bin 0 -> 4021 bytes .../jackson/databind/cfg/MapperBuilder.class | Bin 0 -> 769 bytes .../databind/json/JsonMapper$Builder.class | Bin 0 -> 561 bytes .../jackson/databind/json/JsonMapper.class | Bin 0 -> 493 bytes ...asicPolymorphicTypeValidator$Builder.class | Bin 0 -> 698 bytes .../BasicPolymorphicTypeValidator.class | Bin 0 -> 602 bytes .../jsontype/PolymorphicTypeValidator.class | Bin 0 -> 262 bytes .../com/google/common/primitives/Ints.class | Bin 0 -> 430 bytes .../com/google/common/primitives/Shorts.class | Bin 0 -> 339 bytes .../CWE/CWE-502/UnsafeDeserializationRmi.md | 75 +++++++ .../commons/lang3/math/NumberUtils.class | Bin 0 -> 566 bytes .../boot/SpringBootConfiguration.class | Bin 0 -> 424 bytes .../autoconfigure/SpringBootApplication.class | Bin 0 -> 469 bytes .../context/annotation/Bean.class | Bin 0 -> 394 bytes .../context/annotation/Configuration.class | Bin 0 -> 319 bytes .../remoting/caucho/HessianExporter.class | Bin 0 -> 400 bytes .../caucho/HessianServiceExporter.class | Bin 0 -> 289 bytes .../HttpInvokerServiceExporter.class | Bin 0 -> 479 bytes .../RemoteInvocationSerializingExporter.class | Bin 0 -> 277 bytes .../remoting/rmi/RmiBasedExporter.class | Bin 0 -> 543 bytes .../remoting/rmi/RmiServiceExporter.class | Bin 0 -> 276 bytes .../CWE-208.testproj/codeql-database.yml | 28 +++ .../CWE-208.testproj/log/javac-errors.log | 1 + .../log/javac-extractor-9926.log | 9 + .../log/javac-output-9926.log | 31 +++ .../trap/java/diagnostics/diagnostic.trap.gz | Bin 0 -> 663 bytes .../java/security/UnsafeDeserialization.qll | 8 + .../security/CWE-502/JacksonTest.java | 193 ++++++++++++++++++ .../CWE-502/UnsafeDeserialization.expected | 40 ++++ .../test/query-tests/security/CWE-502/options | 2 +- .../jackson/annotation/JsonTypeInfo.java | 27 +++ .../fasterxml/jackson/core/JsonFactory.java | 4 + .../fasterxml/jackson/core/JsonParser.java | 3 + .../com/fasterxml/jackson/core/TreeNode.java | 3 + .../fasterxml/jackson/databind/JsonNode.java | 6 +- .../jackson/databind/MappingIterator.java | 4 + .../jackson/databind/ObjectMapper.java | 27 +++ .../jackson/databind/cfg/MapperBuilder.java | 9 + .../jackson/databind/json/JsonMapper.java | 9 + .../BasicPolymorphicTypeValidator.java | 10 + .../jsontype/PolymorphicTypeValidator.java | 3 + 76 files changed, 538 insertions(+), 4 deletions(-) create mode 100644 classes/AccountService.class create mode 100644 classes/AccountServiceImpl.class create mode 100644 classes/Action.class create mode 100644 classes/Cat.class create mode 100644 classes/CustomeRemoteInvocationSerializingExporter.class create mode 100644 classes/DomesticNumber.class create mode 100644 classes/Employee.class create mode 100644 classes/InternationalNumber.class create mode 100644 classes/JacksonTest.class create mode 100644 classes/NonConstantTimeCheckOnSignature.class create mode 100644 classes/NonConstantTimeCryptoComparison.class create mode 100644 classes/NotAConfiguration.class create mode 100644 classes/NotConstantTimeCryptoComparison.class create mode 100644 classes/Person.class create mode 100644 classes/PhoneNumber.class create mode 100644 classes/SaferCatDeserialization.class create mode 100644 classes/SaferPersonDeserialization.class create mode 100644 classes/Security/CWE/CWE-502/UnsafeDeserialization.md create mode 100644 classes/SpringBootTestApplication.class create mode 100644 classes/SpringBootTestConfiguration.class create mode 100644 classes/SpringExporterUnsafeDeserialization.class create mode 100644 classes/Tag.class create mode 100644 classes/Task.class create mode 100644 classes/UnsafeCatDeserialization.class create mode 100644 classes/UnsafeObjectAllocation.class create mode 100644 classes/UnsafePersonDeserialization.class create mode 100644 classes/com/fasterxml/jackson/annotation/JsonTypeInfo$Id.class create mode 100644 classes/com/fasterxml/jackson/annotation/JsonTypeInfo.class create mode 100644 classes/com/fasterxml/jackson/core/JsonFactory.class create mode 100644 classes/com/fasterxml/jackson/core/JsonGenerator.class create mode 100644 classes/com/fasterxml/jackson/core/JsonParser.class create mode 100644 classes/com/fasterxml/jackson/core/TreeNode.class create mode 100644 classes/com/fasterxml/jackson/databind/JsonNode.class create mode 100644 classes/com/fasterxml/jackson/databind/MappingIterator.class create mode 100644 classes/com/fasterxml/jackson/databind/ObjectMapper.class create mode 100644 classes/com/fasterxml/jackson/databind/ObjectReader.class create mode 100644 classes/com/fasterxml/jackson/databind/cfg/MapperBuilder.class create mode 100644 classes/com/fasterxml/jackson/databind/json/JsonMapper$Builder.class create mode 100644 classes/com/fasterxml/jackson/databind/json/JsonMapper.class create mode 100644 classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator$Builder.class create mode 100644 classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.class create mode 100644 classes/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.class create mode 100644 classes/com/google/common/primitives/Ints.class create mode 100644 classes/com/google/common/primitives/Shorts.class create mode 100644 classes/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.md create mode 100644 classes/org/apache/commons/lang3/math/NumberUtils.class create mode 100644 classes/org/springframework/boot/SpringBootConfiguration.class create mode 100644 classes/org/springframework/boot/autoconfigure/SpringBootApplication.class create mode 100644 classes/org/springframework/context/annotation/Bean.class create mode 100644 classes/org/springframework/context/annotation/Configuration.class create mode 100644 classes/org/springframework/remoting/caucho/HessianExporter.class create mode 100644 classes/org/springframework/remoting/caucho/HessianServiceExporter.class create mode 100644 classes/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.class create mode 100644 classes/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.class create mode 100644 classes/org/springframework/remoting/rmi/RmiBasedExporter.class create mode 100644 classes/org/springframework/remoting/rmi/RmiServiceExporter.class create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log create mode 100644 java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/trap/java/diagnostics/diagnostic.trap.gz create mode 100644 java/ql/test/query-tests/security/CWE-502/JacksonTest.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/annotation/JsonTypeInfo.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonParser.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/TreeNode.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/cfg/MapperBuilder.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/json/JsonMapper.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.java create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.java diff --git a/classes/AccountService.class b/classes/AccountService.class new file mode 100644 index 0000000000000000000000000000000000000000..0fe62ff235901ef711b2864459eeabb11229f78c GIT binary patch literal 186 zcmZXOu?oU47=-Vy)vAN|6jB#Ei<6*EfwcCs+imc{8(u?mEg)y)wW`SF*D;I%C`%YQ_e z3fFqY2W^;;i@I;_@3r%R{nvMK!3V+sw?N&UE7&@;1iy)GpaPt%A3mWhP&8ABK8PN;x&>G ti_$GiwIP`Tv;78om4eU_3}fI{a0Ok#AYGRnmZO~)!QZ+&>3U&;{x>~TNa_Fp literal 0 HcmV?d00001 diff --git a/classes/Action.class b/classes/Action.class new file mode 100644 index 0000000000000000000000000000000000000000..af8e196f4a2657519ef69991a58b37afed44899a GIT binary patch literal 264 zcmX^0Z`VEs1_nz8es%^XMg}&=7xl5QJyJ;Kckn6m&?Ggd(mZA}EkjAQTFt^lRs29hkFZ4hr5X6%s`rfQO2* z=M)sXGqc~V?(X(`{Q>ZbrvNq7eRyp&&?JOgK5>+@$)a_#RjDO3-?Y(oMyQXUKYcui zS+LAK!+S;OukI_cEw#y}a>8;(82lq$M6oJ0=laY^t^|9F;!9S0D{a)rai6Gi;|L*$ zi({FpckM#BO` literal 0 HcmV?d00001 diff --git a/classes/CustomeRemoteInvocationSerializingExporter.class b/classes/CustomeRemoteInvocationSerializingExporter.class new file mode 100644 index 0000000000000000000000000000000000000000..fe7ae8ebfbcac0896bc706aca3a5605edcbea445 GIT binary patch literal 303 zcma)1!Ab)`41LqquC5ioK=4?5aLUgKmc206XYAOhi{jwNZ|%rTRe6qECfVkYr4ufs31FpzFAm zg-+|pGU99|)CRF_zYTcba`mM(?GJCTLXK9Zb?pb$a*fOJcxVKi$ Otu`_+wYqQE!QcnP5K-y? literal 0 HcmV?d00001 diff --git a/classes/DomesticNumber.class b/classes/DomesticNumber.class new file mode 100644 index 0000000000000000000000000000000000000000..cec0c740ad3c7bdc020b73fa5fb0da2a78e462aa GIT binary patch literal 194 zcmX^0Z`VEs1_nz8UM>bE24;2!79Ivx1~x_p?tqN^yi~u^+@#bZMg}&U%)HDJJ4Oa( z4b3oi1`b9BK9~I5)Z&uNWS9~b=lqmZMh1SLOqjNi#H1Xc2v=}^X;E^jTPBDj;FXx1 zU7Vj60@SOQl~|U@puoTmv>5~#ff#5vkmdxkWPvnTL~A<(<3_MF7mx%=Gcc$CNp2v` H#J~dp#)%}m literal 0 HcmV?d00001 diff --git a/classes/Employee.class b/classes/Employee.class new file mode 100644 index 0000000000000000000000000000000000000000..5a04c366355b02356bca71e981e136fa2ef35e33 GIT binary patch literal 183 zcmX^0Z`VEs1_nz8UM>bE24;2!79Ivx1~x_pwt&>4;`}@y!zME?v&4>(fmuT{jGcjl zk%7ZCw;(6KGBuTvfyFsL1xWGxWag#%mF6a;7KJ1xK^y_E#N=$C zVIir-C3;zjWr++54D3MbK!6d5fffR3P9RGbNP|VRwlgqp1WR)PNsu%HgEo-l2GUFn FJOKHBAZh>r literal 0 HcmV?d00001 diff --git a/classes/InternationalNumber.class b/classes/InternationalNumber.class new file mode 100644 index 0000000000000000000000000000000000000000..35ad8fd1513dd441dafc898214a2aac7eb2f9b22 GIT binary patch literal 225 zcmXwzI}5@<5QJyrBbulYtOYwCg}op)f)EiA4EAR{@O<1sya@g*E5X7a;ExhF5u4qa z{gz?gpXUp}2!RI&1sBB{N+=Wj)!t~iOwU`H5Xxhvm7Nd@z5d2Uh0qGMm5CNs87)r# zKR-69w#jX3c9K9Lq4<-*LjBVsu{|;L)+SA2Ia8Tw&P9B@7#+!r9UjD0paYi+0i1#= eyj&rx#@=Vw&Iw-z570fwHJ%v;x;*Q=9W=gH7%S)i literal 0 HcmV?d00001 diff --git a/classes/JacksonTest.class b/classes/JacksonTest.class new file mode 100644 index 0000000000000000000000000000000000000000..30b9e312a6bcb06e5579cc8ec092d647c74ff085 GIT binary patch literal 1043 zcmZ8gO;g%X6g>}uPeN3XqSE@^uYe$JZEY2c(>k?-gLDzb8OJUf!yAlZ!i1pxN3PxA zw07#Qi~gf-YHyN3u`KSrynD{MAMfS&-|s&GtYBS62w@IMK?DN~@k9MYFEn+lQTVif zC=8cjV9m5lx5N-uGdmoE3@IOE3AdmL=R`P~Z5#<#28Zm)#26&CoZ0aXh7=5AghX`1 z5G_(ms+r0y-6s}hBrwX6RB#U|hLQjB48slKmaSID)m%sD#|+~=71J*CB}i!;6C7y; z_wj&=`AT;&)EsHl86xW5`%IZ*>dw?u!L%AOCNbm9GRwdTSEg}dn8!noM+zR}2~G6Q za828ywKyHJDK!|YZ*@g)1qrAMGTv$K!j)h)dKD2h=*r)n_Q^?37uV4`ch9SLP z*E+41Bie02txoid-!OcA4wd5tLu^Yoj@q_W6K&eEv|-l;ZL(roqS`s$7f#Kq!62WS z?m=*0#8E535Try!HJ2o|^;Qr1;j4FLG-I1%^-j|_8HT84HZ0xkI3zyP(_8D?MX=Cf z$*&=6cE>Tqrs?$(?`wI{yD7}!IXy@37XmE|17w%z-xPU9K9aovJEwr*C0Q>G3?YhF zSVq``vPqu?G%vw-!xxBF7P?Tj6B2$5R&!m%^IeQBOP843&4*Lc1*TUc*>vO^=0eE* z!Yo0ao*`YOcr=J(t5QBKb&<#E9m%BQLM6Y}aCAz{5e8d*{C~DXv z{~2FkkPrDCFCs=A$0?g2#wfk_B&NwOAVvH!Qb-VQoS1POVFIrSy@kPRO3+6-&%rq% r7)SP+l%$&@I`B{VAFxe7%WnxmDnco|Aw7xw3W^kkutxD)KPvqL#lhGD literal 0 HcmV?d00001 diff --git a/classes/NonConstantTimeCheckOnSignature.class b/classes/NonConstantTimeCheckOnSignature.class new file mode 100644 index 0000000000000000000000000000000000000000..d41938a219531d38c86c86ccd3601a0f403ba7e9 GIT binary patch literal 7481 zcmcJT3vg7`8OQ%O+1?U1CLurqc|d}JAmXyQBukRru)6`` zTLjr8bzW1V*FRL2+nf9LMr-8|$Gql0@l z_nvd^IluG&{@-`@S6{z!7{DSNaUlblI&5y(;n0x1)xX_e+T#y(mNsqPY6M~$9E*dY zU~Gwo%)+9JTyP>whs%u#aBG;Pnum;7X-hcJZLswzokpxK)Yl(tiA4;5uZF3GMXOY+ zV7N5xL4^~iXmG9Q^#@v3RLw6dcOe@&I&$5Zj46qU>?{pL2Kr**(guG(!vr;SH0BQl z3=L-&n!~EO@@2tLXNCEu^j;M%fg9(cOoLlyT-DQ)n6s@=O*tD2-8dhMIJy45 z4u6br6$y6DMum_lbD2R!OoCB)*s;j zIRSq()*3c7q}DD<5QJ&FW%|?wIOHoUv9fr|Yn?O`lI7;hLZVAL}ESH(CFn6j> z)?JU4I##*SAX_m_ZG6-S^hbiRfzk$I^LH9cgPlf{s?~#0^-?FAh}IP3j$o{7O-q#v ztFcB$i|DeIix@gi+LBAscVLJhORd*h&AI5+xX6t*tkd9>0Fy@=W+Vo&dNfCZ+qoqx zjRCcntFcgeZgAsb*-%@Qz2wFva$}RJs=B(OIw$=6g9|B9p;eE7%%3`$cLK8<0*5oL z#}+p_B_13d3YZf?4O6OWTS{xHYf76}*0hv0Q;!Tm7rN1-qgUR><*0D8;;|;!*JVUB z6n*0yhBf88yV2*yHn5jXD2a;dObJAK#aRu}Hq%?ZQKNSjQu7Jc`Gd z0TguAT-Hg5+xGP^rXG6YgN2Nvnb(qp`ntvk_?(>tkf} zhob&11~Y+jn>I$L@|C1nOi3&!m5eHi+9jA{{y=wwzfTRL<0%ap8>(qEwL1ewUo6Ol z>Nt?x95pTLiH2F<@Y3kgG@B|M*=VVmHe`}b{V`_4gauBNB}9^I;2xM=)ru@{ph)MA zT+A@hr~5*?j-N0C40Wbd0}ZoBea(p3O;NKOF`4v9njsuBb}|x^k(5S!*d$eCa&|8# zLoq#OhfXUs@Q7)hnKt{O&C=tj=mc6>T1hQ5HK2wwLgBShBciI5wk{*2NYK>M+vEqr zy?y?O=ujq_%z`@JpoT`tO&apei6u8(daVkF8S)DE$lI=#aDOCVEDMV2XCEii&XrAP zIa0|oPX5aULmdu&KEc0c@T&1@FFpwEMSjun1AfY5U?M+%h##?|H2s)YC$BAY;?Ns% zCk|p#V~!24I(;^;#}-FkTZvqz`Rv~8nQ;{O93F?qK8Q2Rb?*`A-Z+Z#^aG9jo-5z? zV}j47ddw|(okQC(pL6u08p}|}YlfOgFtH*|8%`aSx_svA$ky?s`HyQl%5hoDCLTi5;XTTMZPqQ`PXH0aXM#QKoB!= z8bQp&EEM8QEM$>%0k75ER13ug(hBo>m%`HYf9j1nKkQNeXDR*~i7wG!ni z3gaIoFW^N+2fcz}m4Pg7&L-LN#@xn1H2Z8G8{>X$GFYe$k3Ej{;u-BeM@d2$x<~go z#59~GG!3e!D9?F-k#z)<<&XVvi>jpOT#wE4jS4!37pu^WmSNhcCXpIyV=0N$VjA1c zVo()P4fE*~6)eMQcwNSj5pApy@2HW(t7#8ER`#)axP4e&Asza-Zd}x~k%%rKqD@3}DG~XJXfqK7sHP68 z$)I>TsHTl6Jl~<3;y9QHwjBDfWXUZ`O(n{QeYV_72eDa#%kbHAy9TjU^07oo_r2O)vIRByDK7gk<{hR#NI_>Ci(5>ZKQlc$Ns$f&1u5 z+ZbsPM%^~{-l{0Am6)rCD;Yh5D(1|5-9030TVW?nMuwf)akQ{|#R9dMpd@8nr9dTD zZ_6DZDY^=MC63F5%@sa}iHvS!BBLqAaaEfcjilvqGNE15R$^89@t*9 zu;nIPvNIu6{L&PvvPK5K;+JNcG)ZAK(kAOp!X|4}{ocyVxxqqZ+T@c&^%QmYG-IhJkD6V(f>{hw#=CsQ`Laul0P#Pc`^>~NA4q^=i%tv5*}^T`lUrddW= zx0wz&hO(`UKIUb*tXHWd{kZoM*~FPb4)TmM$VB@xW%LT$9%3!>Dr52xd%l#CPvvm= zFnx@Z&%JKd_5Y;L>4c){*P*9h!6d08bpX!2_Ym%1@39}m199vvcUb3N$Fa`8=kfUF zWv#k`Tc1n`XRDofgFt>xn|+g&$6FN3+XQli=bK-!ra!`7Zzvec#QGOQPg;NK>^s(j zjfI;)|9S$*$TQyZTGQN^S*w3`jxyKq8m-v-IyO_NtpX?E;4eA)#m_1Yd z$iVtPuPyOYL+<1J`9X3vZ%*?$GRyTmrf5#c>v81i3(B1yn_RN;oOxM~A}6!lW$l6M zz;2yW{hjSZPF$H>L^G4LmjT?Nt}!O(%dP!sq|*WKveoZ7?LY8Wh(B_nf8r7S&o~Qz z;c4_ep2z;mJ^CA^{&!0KeUA4b4dH!`_#SJ>4><0Jtd>6D=)|}gf{A#n-!ROA zNRFx8%CB*brfHuc<8#=*gi9OaZyIk}%+Kf6O2DhS=wz5@mOJyD3cE+}=Q$S;yK}*= zYs&TAPBQ*Sp1v2lZ9i;mX>EY>SV6FnIo8XAN=p#b@7a@O4$p0qf{}A#g zg#2GZ{vUaL$|Um{L+4Z0MPIN8|B^M)7aZ*)1+`V6E=V~AgCh+pseX?U1CLurqc|d}JAmXyQBukRru)6`` zTLjr8bzW1V*FRL2+nf9LMr-8|$Gql0@l z_nvd^IluG&{@-`@S6{z!7{DSNaUlblI&5y(;n0x1)xX_e+T#y(mNsqPY6M~$9E*dY zU~Gwo%)+9JTyP>whs%u#aBG;Pnum;7X-hcJZLswzokpxK)Yl(tiA4;5uZF3GMXOY+ zV7N5xL4^~iXmG9Q^#@v3RLw6dcOe@&I&$5Zj46qU>?{pL2Kr**(guG(!vr;SH0BQl z3=L-&n!~EO@@2tLXNCEu^j;M%fg9(cOoLlyT-DQ)n6s@=O*tD2-8dhMIJy45 z4u6br6$y6DMum_lbDbM^(eOlVm6k`OjnpYRVVAN z$4VWm+-Q)kn5H&9Y6SWt!Pr1)1F`u#jitd(BTCik!Kiwv6HP>G3UWs<*0rXk%7xWf zqoYN1*~&!>9j7JO8S=;aBV<;Rz5_!9S!%u3YR*Nk#zk(lVVwr21eiS1Fe5RD)uTBQ z+|DgoX$+{nT#bd&bAuZf%ZA#b>?JoYksF&#Rn^rM)j8qkA6!U@3axqsWd792yc3w^ z5ICG^J+`>fDe>UwP{5oBYM4@0+frInT~pe;vZkf1nR;Xhy3mat9li24E=Pr%6^}K+ zzAhu8q39duFsv!x-Hkpswt>BDLP=CqXG+LIlw{M5=`QqRyN(^Arkzxw+AI}+rq&pD z=cK)vENXY+vIN1hdGmzcC!lQrGW4AQh3@NQTvILU5`85 zxKos3_lp6^ox8=H?$MAp3J6*DeH3IM5!^bymvpf-pLOAWd|wjABKdZ=3lHI89gn#2 zC>~=5P|#I#StlWG_xJQ0O>W$ z%Nr=txg!@dO!Vo#(5~Yr%m723Db+y3>``AcVs=y1>_$u`eUfGf$Bdnf#AGC;5g#^5 z6`7pf%gInokJ+KqN)0?>T4$!serU7wI4U}UR+d&$3r!8E;fzptZPbXUDy6N<2q_XY zwe&Xm0hQ%MhceM*7S!TvM$3H~*MSB+PD@j+-W@{5Ka@KYWG6Z!c={D>W;>Bqb}d2N{! zhu)AoaS)Rlb8L9k>9ct~wm9WE_%xUG}>;@erC0?@db; zf|!ZZ2x2B?p%7DjB~}nb1M8Sp3&>nz099Z|F{C`6%qORzgh1vJNGS{2bE%7Y zsO5D9+gVU*hd`k?5)v7^KAyLrj5SK?PE;D-93|x>v5-v8XOt{rl=vu)3a)#xiYy1F0WUH-=oJjB3}kV0Hp!MZ<~9zZ*=O_E824+F!9s0#>~X9Y&uI5KN)p1* zJ-Wvsrr|81X;3{ydCmijtRt8#f9!`_R3$yR1!>oSInXk(3dM~xg_O?&vUvX9ln?Zfg4d7f|(mO4XwnI_^K zVj@4a@Jyw#2%hfa<1ro9!6iE~`8|$}ZQlabaxT(~b#fB0P|YVGpoyrO`E4~(ts$xw zqG~0owJ5_ySi)n-a`tQDbqzl)Tut8{u9qxa-&##|ecHHfW}k0k=b zl9uC$`t)QdIz3L0K8RR(mKAeZ$BDUWda;)xX+yguB-4+#l2SKIhaNgmFTFU#vqYE< z+(%E^#z>1W>b9}>Rz+#8#9TdG$> zpzAmQ+bI_>L4^qp7+{%m8K&cM=JYF=;;v*WyNVF6<}WPQ(6+8+ ztnMQI>nOrq9BqdJx=w&@#)J_->lMv$VtUA8+DqEFNo zV^;C27V!eASdvFn5jQz9wMK9 zsk>*0>HtgDXBpwov21&us9s?0|2%s?nX<{1qu693p2tC8hm)irb-f5|y-6yWPlkXp z%`(cm&2+#qlx=17F)!0)y-FqN$Gw-xCe9RckY}7hCfb)NqgUAW5NnZF8IyI5>0_LH?scoK|0jJ;Clpn`4n6$}CP^Ks190xWhj9OTkNqGXh+}WL!#e*uj&=S$ zkHr zUgmSsz_0mR!aLOYZ+J+5hbPnDs;Rn>@s%9Hex`lSJ=VCm#IFq6#q2HlWRFm7P{+u| z?3wCE2G;+1ZHb>6av$f<50bNabDGbQS+3_XMRP)4k0VcCQ10~D;>zSAnwg}%4B!rRjWIc2ZtYJaoep@Ht$xpG|AD_k{E-X&6OZVB z###6aPowYgJoZ=a(cdWbzfD||{x>22 zhmb!ZfT{UZ{PE Otg-TZiv%<9_WuDkG54r%BA9wmFztlpE+|p<8R-;dC`P*n`;0%y^E(@4e5Jo|yw_xNn)nj|0MLXJdF^c6d1KCmat5SoIE=xthM^*U2X(tbwcfL ztst>l#TqUX8owoanhlIaA_=R1YIRfLTp@Lpure^d(=~dmCQ~cCGMZ5CnmtZh>MJb= z(`+Q|wiu-xS=3C{n|d!dN^{R%wbuLpp-CHr<`%a`WsSIy+QJ4Vk z;0iyV@P(Zp5D3>8-Q+)o$b)0hX9k4pyoY08z^jQHoD!(dP%4s}C#bwV#>Ia71QCPk v5f1KTXH!?l1KpWotj`yI%!E5col&f(qjpExXFVc-d6;!jWq7PRT^lM1sD#O59*)__Z zD0kD^7lxPB9O%6y$Lo!U9O`XdT8i&e4ylA$Y=^;_i6MJ|(o5sWGr(=aZ3aK)>3gjuyM z_fTIIj>8LL&MFA$La`iAUlck+n?JbkEO+mDE~DZ$?kKn`=Xa0%Hsj>1LW#Roo8*kY zcW`=xwy~Y$-NuxL`*^?*mGO~F49Pl3qhiCh4!A3p#o=svOBT&&n8ibyV6~E`1%`;6 zfVcEm!xKEE(KsGfI7Ly2BFhlZ%;$6?Yv>!xMs9M0=kt^*6?2$Zupo^+qaI3Qjffdm zWlz`)>GzsCwUrFbVM)WsSSA6|kj%!CKk9~?cQ)qGsbUT53N~a$K4G}z_0`L$pCHQS zaFD#7tFzfjZxf+W&QmKoR;-d(tM2a#dz0@L=}CLFUQiVLH)k%8=O-_eRNMzBN60x z(0dn8wJaC_avJxr&XmRjkVe&U%lqEZ(sv%BHw1#}I)Mt5sJU|0HpPM^+jrxCj)4g| zH5yQQj+yXiB3wh)PxRccY)1>-w-Z7Kg|-u)(yuVBZPEW{4Xl|uR$nt#4G9UCsA1qV zVmBf75MpltQI!WF;YxL%6N_XX7&-n8p_P_L{UgUeAU4`R(to#xk8peqf^GIEoskS*G=%?06Vj(8-z4lIk~|!c%UTOk1i8h4%zk-d*5C8xG literal 0 HcmV?d00001 diff --git a/classes/Person.class b/classes/Person.class new file mode 100644 index 0000000000000000000000000000000000000000..4609ee559a69748e302d16e9aada4e7c543abbc7 GIT binary patch literal 587 zcmb7B%SyvQ6g|^dG`6Zet;h( z-n5|Lu8Wy-ALrZ$_v`!P6Tmt4Y-EtNkSijO0z+lYpScroHFEBHW6_Tp3YSvJ_=+KW zc+|D9K#_Y98Lb#{iid)s>iwzwIFf2~L2N#v6muE!lSi%o(PqVoR(nWPEJM+iM)m^H zR7%G@mRcDG$Ls6R8FCYg=p_uCG4DT7Ux)vaoHqHL*NJe|P^V23LygYn(;c`2lIB}p z)AwnomL5=zvL}_eO~RgtI-CY$uzj6GeQ_gGr_!Fy(h(+Zq}wwTU8O|S3b--CSlDJb zoojp=!@@4Z$y_Rij61+SEV?6*1;Zk2vKW?7oMH*f4qX5S-P-X#7gWYtduvp*aiUMG!2dEhxQj;=?}sng=m@=)dYo@Zb;dM~R!L zmzmw!nPvBMJ{$oI(eY72*@M%7iwYrF^NvHq$twJa)+){jm61+#HYSvx245bkg!<>V zP1O7LH&UqwpU^E*+J06>c3X`z=ya)XkwzgnC26}>l Ha0w3=eW^0J literal 0 HcmV?d00001 diff --git a/classes/SaferCatDeserialization.class b/classes/SaferCatDeserialization.class new file mode 100644 index 0000000000000000000000000000000000000000..ac151701bded6f6662f7f70498d96c1908ad73c7 GIT binary patch literal 2174 zcmb_eTUXOq6#fn%fe@vlj)IDpDcS8LrB6w1F&E*)w zw0Xp@j-?{>B-r;`Rw;WWdZR#h2hcdMpEnl#2VoKfvR%aGea#mqV4K#BXl>h8szMUt?2 z*G3&#jBA)MFo`c1&V8Ee4H$+a{+29U&Fq+ZTTyxYep&36!SF9oi(V zY=tIaSvCSoTys<`sl<@XDPJU-k}?XTfcqs8ElE2Z?8Tgpn<#218MuYp6hJ2|$6J*v z!YsBTA`4#Q7EQo4nzHre?ayR5ZKK%14er^l2-8I=R~mjkQRwzWNl5-@sAf=7edjM@ zmmjxHcD#*Tp!rvJB9Tww?t2Apb0S-zYL#_d!n}cL%%m{GV9a_RaYXS*gtQvkpNWQt z3}YWuacS4(xQB?J0jKm*n>&{0<_8+e62{DZ4>>LJysl&-RE8$Tew%5!EN`-cuUG2Fz7 z;yON`Xd?3)vQ6YllTCcJFgZSSu8Hp#I@qJi8-AylUlaZtTIg?S`u~9w_zP$8cgG*$ sUn9*fT*nQ18Wh7U$?o7D?xRAI5xR}gYG0rq3t5`+>iGbV@H2-013i6+9smFU literal 0 HcmV?d00001 diff --git a/classes/SaferPersonDeserialization.class b/classes/SaferPersonDeserialization.class new file mode 100644 index 0000000000000000000000000000000000000000..961f0d1a56fb41241ce2ee874208077876042141 GIT binary patch literal 2634 zcmcguZByGu5Pl8_0-*+%kTijYro^^6JcZ8X4&^~#EIGx6;3eIbo!D|fpW5s1S*@nxO3(b-Y zm%&Knx@ju}p5;_B#~rPV>2(dWxX5s#%_>9oxHzTCnZp|j-jwN2Fr@onOkblK$n!=+ zX7_r3JBiplO{0nw<`pbxxP&yrl^28Fcf)YDacC88C;BeE!%F$+d>ZA79@4R2pfa+{ zGG%Wu=tmP2p7+p2M!`FD^4En&B&%4&6$Mu{yoYNH^G7fg^}{gg32xGfY*L+G?NO(Z z%3ZO!?^B@NS`J-Nbu3~~{@l>;KByB-`yx1uDTW9C2i?&qiLH+qrV6|)ypXb+!WW)J zedrOFosnT^#Wjh6@toy|JI#7YcpJQAlO`Teca)a@F)32Fj5IQJ^`Rje(wDE`7Q?A7 zNl(Afx#`E*l4Eu%gfe3DddcK{ZK7)zr-C}&BbUidhD$HtF@BlGLcwi%hPY)(GGdX5 zk(LpXYT0!IKk#@XFM=)C^v8#BSH(K+Dfm=F0UHdnT{0|Z+pP&b*A9y;c$phC33h4Z z)T3{IN4MWG3IT3&$FzkX&$(``*~mnyvC~;2ngfQi7e|-(|1pGozHRhabUd%n94J_U z$izUzA4o{&;3PMRthPH8A0?&qH2 zwHHMS42GHKFQr}*@`($CJwTTT(0xPx57YEtBI!Imnbf2ngZ)MV!!rHK&p-((R!AOb zFP&@afYB#VfIWP{9a1+$3p;madZV$GwbS?rFS3#=mxrW2)q-gIvTQ{Q(#E zFfnnqg{c-UJ>oR?@UdhGqWm5rToqY$%^8KXP-b)A3$k=K?&DskBN&>SIpl zf!`Oy#+j6cq%aqmGsJDA#+jA;MEX;*x3PpP^jiJrZ+fqwHIa3b{>*#s9fEx(gW)>e zJ`6mh)4&ZX@u`nd%!?aGD8D_#`F`sN0U4D8Tx``Y9iZO&L}^oi8cJlZVHS^2N1FiF csTWYC_$@lOcfe9&RlqWN3s}jczU>|02WNfq0ssI2 literal 0 HcmV?d00001 diff --git a/classes/SpringBootTestConfiguration.class b/classes/SpringBootTestConfiguration.class new file mode 100644 index 0000000000000000000000000000000000000000..e221e77d8ec4ef6d6c3b0635f59de2c348af0b5e GIT binary patch literal 857 zcmb_aTWb?R6#h;Uo4UrdCat%qz34+~&;{QlqNK5xKu|DM5T7R7Nt|{w6J}>)@mJ|f z3l{tV{wVRx##$>CUtE~k!?}FtJKvda-@kkX@EG?3!|-K) zPezU~^F(Roo)Yr)wKqk~657TN!(?og9uBM+$q&ZvhgOb^V^8?rxv|m{voCG9&30#M z_oSVuNNyaAjdjunDEhva2$fb8nN+)<37ye64iF&kGs-2*VV)2q@+3}Jtatxp+4RgR zgz{M|53x|fBCZmurw|>@1O_6KgoWR++ObHI4C*?e*2@N5H^%MA#I=ncs9|b_Q$`aC zZL`beb6ut7i*(eNc1QGM_AIA55d-=6!3kUSweEjVu*n=>v2JQ4Sz?ta?%&edxQt># zcyMl)$nf+BE)>5~!*wY%qZKsolCTo~dxW58QX9!lr8;>GLcq^Sbfas zJoFnQJUW+BpEV9oK^BZd9%uqT2YxX;Xj-3T$s+7MrMIivhN|7f|N-9X?C% TKnb(TVTHXptY%T)_Ac-PB$e(` literal 0 HcmV?d00001 diff --git a/classes/SpringExporterUnsafeDeserialization.class b/classes/SpringExporterUnsafeDeserialization.class new file mode 100644 index 0000000000000000000000000000000000000000..10b403c2e1e2df09676e9c691186cb2e201cdd24 GIT binary patch literal 2020 zcmb7^eNz%q7{$*O6hah5Efp>Cr4Z89EKM;@@dYNv8trA8{#v&yUWHv}cQNZz)jv9u zGkt(QRMT^pRWK098QHsc?{j|VKKIQ1{paT|0E@^3&;pMS-XL1h#?W=7o~lY-)pN@0 z{Uff~3~kFo7xoH+CpP)s2S3A{VdfO;#1wk&z*GzTi(wusCNCH^%_wF;D7yu*$IVlr z@y)Xn!?d{>fKPJT89LWA%_!=&yFh;E2%-}qh8~MwO=ol}I#4yv&>PE^U8VA>WhJGN zZietpsZ8M{A3zs8QnNRRKHOyplruv;L(K8yx2hH;`&$u7?c%QnBhp_VatV;Q;6 zhYU+~8?LEE?a)xt+_HqKSM_~D_G1FQ@~6Xx1VgH>+@Wos2>sMJ=BARSai%n`(v3^q zxYUhH-5G{>s%Y6pf$z#Fa9O9RwlJh6q2|Rm>QXrlij2b?!`Pk^q^l3_bW1(p8{Beh z90BS@%J@u;4`qeUcZ!95ZoXCb^EA_6bPB2i$FM-BRClMflbU3R>{32OL2f} zzxB8owi|h9E;nQ*dS#{#ZKhU#$lLmHdrY`KM=X1=_E3VD4x(QF8|uV-);luJLr<47bf;rn=jJK01yaE>6ocF}A296ip&y>kpFy1lQ?5lwu*791oZ z5Q3lX-cEF50AY-x2b1W1nG)VFh8V%I|tk9ZOysQSq3GlcAFy#QIs{l~~NdIF57_R|XBfvURE?|V7vdjKU xCrEA6@haey$EGD3r;9uO!#0CG-|-*e(g}_wmNTgDkPi z9Jqv0^UY-t>55gsN0k(s(6wx9ehKesk*(Ndb3$iTev9UXZ1j4+O>`CiyWFVUSE>Hs z+UkF*^k-L^Snuq#PQe=-sY-Yh5T4MN{v?pv!UNe}8$~XYGw9UFLz%S<%w>AQE%<+x C>@vgv literal 0 HcmV?d00001 diff --git a/classes/Task.class b/classes/Task.class new file mode 100644 index 0000000000000000000000000000000000000000..1f99093ea83264598b10973e15e375a19c06bbe7 GIT binary patch literal 219 zcmW+wI|{-;5PfUZXpF`S2$pJLN)g3Iu#ljF!G05muzog>O}v+tVBrBglsE|kZ{CMt z-uL(Z0GPvbP=jTo?xKOFK>s2i(!WWa`1|NWaW2qYDy{OBfHfMQY_tUGp)^;4mNZ5s znuuv|pva7x)s-7~H&&IX$-^@-D-MBf6=(M;Yo<-P0|EYSge1D$VV($)KjXbAx$T zx6G^x4Vx6)r(rXi8Jb3Ue$lbaDd7-}dP#RLPFndzL6fG`ZH%O3Xlx-j=uJ)6jMm~PEn8%y6CTrAlA?g*zB@i>k4^eD%=4~gUr{k2>p6fy4aYFVpyerOSDfKCm69R5 zj<~DbKG;j;2@S(IN&QnTHpzcs)mWu>0Ygl*@nKc9Dpg8#A0aJsijRC4!Ki|#HRLeH zuy=iM>Qw3XpkXkykdVAqExWpr$?1-pWk?KBc}eCu-4x^H;+(Ljqy`zWRyFQIZYfD3~PS)=q%xKMV)&$}mGmk*|NhCns+A5v8_o%_u3Us`^r^!h-(x&#r;B zZXGlWLuJRcin949{BwX5HEi(WT!AP57frH{p*2pL(+vC9X&`x!+IuaSaLz;7OVZhM zWWD%W&64{W+V2HV?xPl(w90l~4C_)~&7s?Auhb7M9kVRgacy226YfQ;;B4N2ITd*n z6bKFTpwqCuCN_Xa9uL9DsZSr?^=#gpg4Y># zuD+FCG=9FZi!9dBg9h|&fqehaOJtlzJLs3mm7W`5*J;3Tn!fUH;7zDFL*qJcYp1sc zY`h5tSVmKAyL?#zZ=n(I;~5$yXzK)lr{ci($AUi~@TU>***Gvg%3>^kM&Pd_;ORK< zmRRsN1pXxgo{0lL5DUIe;N=LIUO7R+YPnrT>#vlSaBgqaK+URDLI65L55or9o9tp-@_EOf`ZwEd>e%0u;~y1@Sgbr|CeFiIWKz6>oS~ z6z})@1>an}gf0Q~MIU_e5BLXs_01Rc+cQa9mi4miT0PlkpMCb;-?#TUXMX(s>u&(` z;!7Phn4=+NAdFgtrsL*GGnO^;nb`i(<5t>JsO`7&wl|dJw!LFo+`PU`L2zEZBVF80wcW*a6b4C;$tym<`+7uRb&YFi{YQ+)*OR-F$P6DPT z9G6gtHzjK;46MW|1x?nH`CuifqXq5adQBxi`su(r4V?zMu)fNTPi4iSUNGIFRhhI_ z(g_TFD18#I1KkFqxRLQrn%R=Ie_UbhY_;5H~idUu+N56qhLS4kp2gzvItT5kC zA!m9Mu|YdivDYzxb{TqP*k)k6;Aou2F?8BYd$P7eSl`LU>`byPNc#Z#W!PStPA=!=QhqJoiT#XT#~ zDRle`@W76^Q|Q-l@VZ_N)-)U@`eVmtmM*Bgj$s@za8wAc55i9IGK^ye?vj?$Jjd@I zvA)N^y;9Gx=g?AziBSz{17mWURuNh(<2adY6=kg8+Bw^^Pg+GDLyzd{$6Y5kc*e7~ zx~_Rf9E=;tV1kFBxs>;MzT4V;h!Bc6NafV8rX9P%0*iCR!-|Hr6)=Je8=k(zo=JDbkmb3Fhc{16RWFo^` zkKCI|-Z`Y8IIZ8t?)S{f(VW8vfrvueoG~WaxYy2CI{%=MpwL?KGw{1*Isx``n5;;9Z0$^F8GF9yQDOtN0sUe;MkM zzu|q3vJ4m;Kfs6FM$?)&w=JW`(HqLphMStMM)q|_%c$QNiq45gL-C1gXi0>xp!I0? zWh_k8w$+xg_^O`JL|9HCas@3%qnEKdQP);CiM3bfCUg<#FGhK;$Tw3kM7XVtKFal1 zFd%!jl(F?1Y7!08^Ff(6$~;7ap)z)fqG^UADT;YbevrLo-0?jQ)g+pO`3U{{^Oj(K zr$3n=Oz!q4t9|k$|5>$_@IB$wa%IG?iNEOq$)jd(PcGcXNOII{pq|4(l>n&?=!#!8x=u1o!wpkL%pniNDD0 ziM+$m{!lYCXP%)o9Le?)DxjbPGWk~7V35O+)I#3TOd}yf!FdT?3c3+w=v?Rdf^8ZZ zVH1t~QFC_FX1*ZE=?wqDxReZmUMeFX;Q~V}Zx-X*+;)U@P}Jjl6^^*d9iGz+wOZB& zFO`HPqt7k=5<^>t+XdGhP;do<3>}u>YL@F|!7v+6)!IrsmS*fEe37KiZ95V1MJlZ) zBn(k$%f*sz9tt7h8j0~zSk#h)>kNaNhRwG{C9))JVQE~~K5Bya7d2|^b|;5KFEubOJGa5#n4x)`(%Y7`cH-}(s=p65r!&MuPug9)8sA7 z6Ov(E=f#}L&y*dSX6SFAX(Y=qa~7Vu5<^oAqyIyNCTW7wX4%S%70p#K=o_vHS0xH9 znxVTQUlJKXWeX+7-bF6=otISER>uJpqi6G|wI=kwu zN3x_AeZeDms9+qiAYv4F>;|4Fxb1n1u9s90MT|jNGYnyQLndfgR~W`lY1>F939Agl z%~R<+t7uC5jnK{D{v>+nilWP6l&m3oGdB`F0{ct`!wvd(mw_e72$9|5rH*+qpySx( z_=?V2x_kKnYY1QiV`Q~a>P-TN8-aTof?p9hTL+Fb0@Jep(F|1@- zPOqD)>lRuT6wfiNdZCqp1NiuT68bT~5Gfj#;XP#-Y=sI=%Go_$w;K|MFic_(s(MXr zn%)b?KGq%Yw4ydBhxB#I7)B|__41mc#4tuIC5?+q5ZEnFe48QDj_*3srGiNbqqxJc z)Oq1!m}W?B%N2Qht$Ywjy2l`tG@e^l!Zb&Y_%(HTNwfdaUIua9u2M0&%Z8;_nvFx< z*;NlsTG?uoXtwh_7~+aiw^Xm`5a>WV&^_v6UH3NHHR<0$3;N3tD{5vi0HI8l05)1$ zz=x&SxzeWvhJ<1_9Zladcm;Y}@6tSckJ4721-lI2h04D1u47l^$hk0jB5 z#NSI&d=KX7{W4zgR}*O=_XW}ggzNDFA92#d<7W|qNLI?t-29AmZtf!n-~VAq(Js(O zO#SG>0P^GsSRjT)ECq~XWVyz0?gIv|k`2*!Wf}K_(3g}Pf0n*M*iVmy(nL9ajtSqL z64Q5mHxvF&+o3Z|DEs0WGRisFRY@sy({G$gDh8rf@PLp7Jj5g4uA)FTLCgYuV2h>U E-`^iiY5)KL literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/annotation/JsonTypeInfo.class b/classes/com/fasterxml/jackson/annotation/JsonTypeInfo.class new file mode 100644 index 0000000000000000000000000000000000000000..a1b63a00bc3846158f0b9c5da724023c85ec030f GIT binary patch literal 658 zcmb7C!A{#i5PchxxCx;or9jexT2&P)ht?c=sd~Ypj_N9LB4dzH57ovQA_seoyql=` zwI28YKC0>%q{1N*%334632_w=bKEYJyN%ET$1$2uM*^iWs}?Dv*77s`A>hRrK;natSt z-Ey6qP)f=aLtycy3VMOn?SYihTjKFYC|V*IB^4kx67>q zGVIJ_X5)h=B*QF;qXi4C;LH!bK387%Nt-^UBg(afj=<5XqZMd)N>P52NUe!yRr1CM z0{mLMD*RCdzqo~G%*v=SmQcq!N1IuLH5)%sAw0)s0nGwh1-vL=3oi==VH-Qxy|WN# P;}x?yAGCSBKJNSjk3P4a literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/core/JsonFactory.class b/classes/com/fasterxml/jackson/core/JsonFactory.class new file mode 100644 index 0000000000000000000000000000000000000000..dc6918396489c226a2999bc8bc9cb4bfa6143832 GIT binary patch literal 522 zcmaiw%}zow5QWdcg^P%QKPy+VG2p_k4aAKJCWfd9M&q*7N{Zauq+E!;m99uM@d11& z;|vfMZs=lW+Me@uIzPXk-vG{VP(}{<7*PcU6bbc_o@q7K=}_GaM%HA6V#lQ}J169u zt@{`yLeuy}J?lwk!)r2DBW+$LK2^pCtFE}Zw5bg`^P!Ab;M;`b4VJDptbZd!7yii- zYCV_Q>uEBu;Z6_6a$TP&t?QRn)OW>^z6B`Ka6>ahN zeimFh+{{~=8CLH5X)w0yq}93%VfCX^X%P*`oMq)fGHH$#-ZeNA=fcSx^uYyThvQOQ vM8xwWR8iw7@*{=_ru2pQagMF`wL^g7@9rE8ctB>@wp_H?-s8Z+Q|t_yK;DnBJQ? zq$)`zR36XU9l#Xb7!_0_)HZlJm0;lme3ZCJ<1WnZ z>@e(nzOOfc3ECbk*e)C&HPjh8vA7AIi0sTaVXS1qP@hIwRLmIc!SLXs!O)jFx0bJwALkn#eP9Gg~38O@=rAVb&iia>!Q9x$p?5zYj;bRbpY4Y6km+@$U2; zZ^q;f22Yu zQ0r);U00yoYJc_cLSR3%WB)=XPQ|lv!Fcu8Z%e5)eZt`wOEbqWh#VeJ%ResEL0Pxtw}s=39LQ%IX-)g2zarQ zgU?aKJ|1dit@L!_m~~@L?66vwk)RWNocGq9mvZIVeDWN5;O_x3ZT;L%<4}Fk>A0GO zdGDt!;5|G(Z3zolMK}fiD#VnRp1&}OYfse{`I4Ut&C#jV)=Dq>%{W3|HO8%!3-6`oBX!1^Iso(_dec` M%pL7wFLUsz(}V)__R%znwlncvqAU^{u+I9 z#s`0ZKg#jmG_-*x4ceJ*n)K|s=bn4-=J%hUzX0GlET^Cc5=rPCfWeg#C~?!po4L%c7uvA3EyEP~=3PKYK3ih&GP4^V zTeqdqc2LC|VF}5VEh88f+i~_?)o|6Jl7iPG(DQBddlDPPI@(TU%~?NH!eKD!?>(2p zhjj*HK`@3ltSW>(XU6m~RkUaqr9jRXLC$7N#WPYN_pobFU+VRVE*i?PEhh=L8O*jDblWsV zm78m_>ehv&T0jPyh2lz_53LxhVG4^yj6I~=*0GSvZ_#HVz(9r0{BH~N(?w%RPsj7H zzyXxUS3n_H0#DAABh-Oyp4M&I_-N?G(*_NXft96R_#8DFt;*NXRfU_hD3bWXG&5>W zHX1Z8EE?raal~Cyp&+l7wag`(u*Ku`bePM2*I#r6g?6}kDVHPof-a|MzC0~B!?h?= zTj$LIm(KZP;j9nB52{u*D0#GN8xIxlxMJ`%s!PI|;w1P<#m&J59nD<~(s(T55c@^h z>FNVbx;L(Ys+_qHQm4{?Ty7t;774MVsR{3d=A_zggb3E-*+ zyAlT*^3(G*AjjKO#;ZW<92a1B|y^UcB} z#Q}?Bt^mFGHk-ou?UFpFzLIH=n^-H2{Goj6;j;VrR@y_+#uhn zw5*y0dNW2@B@jQ-boFh$T2##fEmm+OdTN-3uQmMiB5~C6%~Ysm?Ie#vnCuW3$ZKah zwd*FzWdynO(r$P~6AL(|l{zXe@QQic)bumdYh`wOg)x@Xg>7+sSB4h~IDb=ehvU6o zNStE(7bUf3Yldz`;TC~WHb*m*Y_53+ThVbIziS%vVbfU3@x;lVwA`sS@;IG=iwOFK z<&9fwtK{eTV6%<(Vc7>-MU_h@+eo{@O_T*rwgj_!t#0G9R%unPyBef>NrB04%jNwg z%KZ+)`1vLIuFbbnxQkTomkRRpU{>0OAnK1GcX`>Ni(ic|DAru67J*ldAZ!zBuGN6u z!H=&sHqQI|Yi>m$>&B=jZKAqCyA}2tde~aqm-e*qIg3F# zucGh8{UDF)e`wvTt&1@E{f2J7ZhzH#t*X3@H+=s;2IcQk+G~AY2c?Re$9r-1 zSc4pA| zaHKr#qCn0va*iYAo+*KxNAe*o1U`SI@e~)?{6wJBn&6aV*3s1i7LWk@G%mT>hH2GnQn<4i`>V+nIavT zyZyoXRX_*zkxZ4#uZ136du7IF8ZVuIffq_YMZmE@1!E1rj&UWpmQUY+yy6RLVbs5~ sxCIR?)acO?Es&Qr&VX&q6krF5CbWL>y5%NcUGlp~W|eK&`%&2c1|P`Ld;kCd literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/databind/json/JsonMapper$Builder.class b/classes/com/fasterxml/jackson/databind/json/JsonMapper$Builder.class new file mode 100644 index 0000000000000000000000000000000000000000..410ded1affd6998a0bb0425d4124dd3981fe1697 GIT binary patch literal 561 zcmb7ByH3L}6g_U!IthW4$I5`j01OQi5^B|fN(fNtQpD~gZsm|Tm7O3yhM!!Wjg-`-zd0i0sTMGI{T%R>iUg5xO9f;rO#R}WblBrLkqxeQ`f zuu#Z2h~|snnk|=Hos}YuxgzKeg%rhzpnY(7OJNh7G>{|}<&_DaO#44n);Nzjfj<$F zPs=Ri>V}1>xp8JbAFsO(ErgmY*6BU1;r*ozro6iFaqyVO0LE!)0%4n`t^0#12u!J7BSn5(nQB(yLAq9j-ElD h>auHMRR(NWSTopyhxHma;Mds0mOed}h?n8NMW(QI#k{FiuM~ZHq|NS2D`E zBBD0U6XSBwAB_JdyM6L8dr0sutG15SX=*fsZ|7kq?+B$;awTcw?P*@_{>e~#=OP?^zfrk Yz{VoiEG!}5=y2yUR+)KoCa?zg9ae&Pc>n+a literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator$Builder.class b/classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator$Builder.class new file mode 100644 index 0000000000000000000000000000000000000000..08ccc7553affcf84b996fb59c10c661b883d84eb GIT binary patch literal 698 zcmb_aOHTqZ5dO+*0TB=%2NMq(58%N)8;l2tMiN952>0%8!D6>1`%w8;dNT3g5Aa7B zr)naJi6?rPZyw)FXQqAsczpwKf}Jul$U4YXkVk=`KI8Y?Ra{TqYi}m}grRUMwM@aU!C}P`NYi-^E6|0Z+Imb>Pm(N)~hBc6coP8>1GXiRQP`ACYs+ zl_aK#4m+t-fruD#T@wg~T3>20NJCFVBkn2kRJl^-p*I<(o=s)&oBiJghe;&$wB72j zw4F9X-m{%C^qMQGO*P9ylSaO{kan(ve;0FXM`S1tM4VijIB~GaaK4fu87e)kMbuS1 zjz!Gi{5%5o;m}X8CkxsD3M5Np?GZA<{Lu^8GbuC*NgMu_Yp9TJsk?->M20<)T;@4s gt)sfcv)O-nMY_CZBdBBJ3me!XEK{a~2DVZ91fBu9H2?qr literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.class b/classes/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.class new file mode 100644 index 0000000000000000000000000000000000000000..06869a46509c1208f26b8ed4bf64b00a549ee82a GIT binary patch literal 602 zcmb_ZO-sW-5Pj36jZLHV>m+zkJhUFnxhNtn3PM{HOYfUx#f?d}WD~LfN>73Ze}F$q zoK#PO;-Pz(c{BTX^M-l?s*7@La<$8uIM)wfK+g<#D~{DS oU@@fyk8wraS@c+do__FbX0CFthBdS~+ss_YCL?!&9BiTa2|OdE_W%F@ literal 0 HcmV?d00001 diff --git a/classes/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.class b/classes/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.class new file mode 100644 index 0000000000000000000000000000000000000000..1164dd8e03e486f32a3c92de78e0f8590509fca0 GIT binary patch literal 262 zcmZ{e!D<3A5QhJ_tE*e3zJLdB+JiY4N+}3EmA0UGpUuXaHJeC`r9PIYLJxfaAF6cL zyEE_)-~7YypZ|V-0o-GdqlF|x+D985fni0TBrUlQ`Bqd~MS;$PaV95!YE3$@Z-R%OOgxygvDU~WKo={sWnLKJy3nMmsmCU4BF}UaIo-+*RLh{RXopXJYj^_|q1L+K z7sC35_MT(Ai7^8Dtqm7s44-mHuLG)#s(17X_CgIwP_|>hA<7o|)LZI4Rf~3vLZ1cmXra{NC=4_F(DX&SeTq(f~z=2Zd$3|iG`^W10R47 zg*bzdD&gVY`MuxS_xbhy0pJvS83qUvgd;?V3Ddb;Nzux#5x3P`)jc6T)1B_m2|+%) zPq0Hcs;v=?wN0x8x5jqj#c88^y;2KNK3mr>2;rrDRD{X3?$piFRLb4Ss%2;V8iWSlxp literal 0 HcmV?d00001 diff --git a/classes/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.md b/classes/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.md new file mode 100644 index 00000000000..051cd9ff149 --- /dev/null +++ b/classes/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.md @@ -0,0 +1,75 @@ +# Unsafe deserialization in a remotely callable method. +Java RMI uses the default Java serialization mechanism (in other words, `ObjectInputStream`) to pass parameters in remote method invocations. This mechanism is known to be unsafe when deserializing untrusted data. If a registered remote object has a method that accepts a complex object, an attacker can take advantage of the unsafe deserialization mechanism. In the worst case, it results in remote code execution. + + +## Recommendation +Use only strings and primitive types in parameters of remote objects. + +Set a filter for incoming serialized data by wrapping remote objects using either `UnicastRemoteObject.exportObject(Remote, int, ObjectInputFilter)` or `UnicastRemoteObject.exportObject(Remote, int, RMIClientSocketFactory, RMIServerSocketFactory, ObjectInputFilter)` methods. Those methods accept an `ObjectInputFilter` that decides which classes are allowed for deserialization. The filter should allow deserializing only safe classes. + +It is also possible to set a process-wide deserialization filter. The filter can be set by with `ObjectInputFilter.Config.setSerialFilter(ObjectInputFilter)` method, or by setting system or security property `jdk.serialFilter`. Make sure that you use the latest Java versions that include JEP 290. Please note that the query is not sensitive to this mitigation. + +If switching to the latest Java versions is not possible, consider using other implementations of remote procedure calls. For example, HTTP API with JSON. Make sure that the underlying deserialization mechanism is properly configured so that deserialization attacks are not possible. + + +## Example +The following code registers a remote object with a vulnerable method that accepts a complex object: + + +```java +public class Server { + public void bindRemoteObject(Registry registry) throws Exception { + registry.bind("unsafe", new RemoteObjectImpl()); + } +} + +interface RemoteObject extends Remote { + void action(Object obj) throws RemoteException; +} + +class RemoteObjectImpl implements RemoteObject { + // ... +} +``` +The next example registers a safe remote object whose methods use only primitive types and strings: + + +```java +public class Server { + public void bindRemoteObject(Registry registry) throws Exception { + registry.bind("safe", new RemoteObjectImpl()); + } +} + +interface RemoteObject extends Remote { + void calculate(int a, double b) throws RemoteException; + void save(String s) throws RemoteException; +} + +class RemoteObjectImpl implements RemoteObject { + // ... +} +``` +The next example shows how to set a deserilization filter for a remote object: + + +```java +public void bindRemoteObject(Registry registry, int port) throws Exception { + ObjectInputFilter filter = info -> { + if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) { + return ObjectInputFilter.Status.ALLOWED; + } + return ObjectInputFilter.Status.REJECTED; + }; + registry.bind("safer", UnicastRemoteObject.exportObject(new RemoteObjectImpl(), port, filter)); +} + +``` + +## References +* Oracle: [Remote Method Invocation (RMI)](https://www.oracle.com/java/technologies/javase/remote-method-invocation-home.html). +* ITNEXT: [Java RMI for pentesters part two - reconnaissance & attack against non-JMX registries](https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d). +* MOGWAI LABS: [Attacking Java RMI services after JEP 290](https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290) +* OWASP: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data). +* OpenJDK: [JEP 290: Filter Incoming Serialization Data](https://openjdk.java.net/jeps/290) +* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html). diff --git a/classes/org/apache/commons/lang3/math/NumberUtils.class b/classes/org/apache/commons/lang3/math/NumberUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..0b882b6664b303fd7980ed73fb879a1584661df3 GIT binary patch literal 566 zcmaiwzfQw25XQf2ngmKq!=Ell3@p$vkbwymu^=H;s$dAPJHbj*B{6bco{9k`BnBRU zheDibC87#c59jlDzwhkx=hyoOfHU-3Xu$E&Y{P{|2qxl5M1`ob=q8!S)DXP$yvof5 z!Rd$hKGq1K(pe-PMLL#Is>)JT(;v%eR0=bWu4iQ;^_|I!DWQ3(9webV$}2f9+=`@N zrJZUi%t9j^_D8>0$42K>HVA9d+&dt2=DuNNWF|G?XoYbBveP#z9xKfw_5Sk21lK6W z|EUiNtys-;Dz9=oKv0|W#J(K|@cB3Ga>32uaa`xqKJR4J<2TSNC)|mnEdvfC8)$QG r(LLU++MpMXb*{pNSp&BJ6$xjf!q- literal 0 HcmV?d00001 diff --git a/classes/org/springframework/boot/SpringBootConfiguration.class b/classes/org/springframework/boot/SpringBootConfiguration.class new file mode 100644 index 0000000000000000000000000000000000000000..487e44f43cc0b7d3cd52fcd2237625fd98795577 GIT binary patch literal 424 zcmZ{gPfNo<5XIlrw$b`8S5Xl>cyv7p(vy`6LP4=X5Ko&h4O`RQve`uaY99OmekgG) zVin?Hb{{_;^O*Pk@%jef3~_`O;l%k|m2+=wKJj|SPtHH8)VZL>3pfyY;q1iZmDj;I z8=*~zr@Gdv&^A}s>6Eh&p-VVeQf;jZ3%@%5k%ZpZRX*cOQ!rugpM>MDHH4kp$_6vz zJ5!pp;N_Z>yO0>^8^a-6>7nMXDHv5JJ&)A0KWzJ%5C-*l)!tQt8m8}~RPe)Bf wWzGhE4(ivrf6D3~5eO?X9qAmRB6(X_#hU!F@Se>21BkJKO>7D63fTre0Z7-z<#6u z*{_Mf-hE-bUeJTib(B(Vk_#M88V7~SCFBPJol>O*4>)PojZ#{W@!@+$EN+L7cO!x0 zX6@L#kkg)?S$VKrX>7`drOqe+rdq%AdYNsN%-~c&V1=v0p94k#pDnCnjqhDXJ?^bP RK@c{ui7jTgxw_2ufgj5kkGB8- literal 0 HcmV?d00001 diff --git a/classes/org/springframework/context/annotation/Bean.class b/classes/org/springframework/context/annotation/Bean.class new file mode 100644 index 0000000000000000000000000000000000000000..11d8cbe57c0eda7dd4b6d214d6766b273ecc8194 GIT binary patch literal 394 zcmZut%Syvg5IxgZY<;v9x^N+a3sD5K7FUr*6f_YV1j#~f!!)F(Hzm2L`fD!y06$8c zxG-I~m@~}GIcJ9X`u_L?aE@II4Z>-b$9A#I6CKZTwcyt*f3c%X8-6pk(mFHBB$>7^ zS!oL`!eFje%1)JzZGSrF$XMtQ4(jfj$obO~T3Xx*qvMnCwkA(ZwfTZDthr;JsWLT$ z-XtsYh_8}Vgx%_bvr0+WdnmO@7W|kL$u#9!S`hZv+}BPCR35XDMeUVJOYuAWpXa8$ zU~Pi;B@4N8=LXmQn9z4T&kvm7#`m6sr+fE^Kxj&|<(DLHv9KXkSE^Y5PcI9&%_TxItvjjQo2nVNhK01K{1CQR-0q8Y_c~S_V%LwHH-X!{3vmg z!YHJ8GtA?Cz^uQ&Rse2rmZ3oy_+V7E2v*EA=#t-kn5)7|tp2FY3cczzGIW0y#PG(%h42Oiv9s9?9`x`{)jC~ynzPFAEy??pa8#Cejxt3^4ezBFE zINq5n!o|bhf?Nl~aY$$_wX0L`)qdT`amf<%&jlxOGk<*=^$CQ7gjRYB&_K4GM`)+r OO?)Te_zlE3!RZebGF`6# literal 0 HcmV?d00001 diff --git a/classes/org/springframework/remoting/caucho/HessianExporter.class b/classes/org/springframework/remoting/caucho/HessianExporter.class new file mode 100644 index 0000000000000000000000000000000000000000..895808a97e438959d1db74dc2a414a65d6474f48 GIT binary patch literal 400 zcmaivy-ve06orpT(?BS+h%zuRu(b?$U_wPK6$qpXhNA9HaDz)?SGH4lEhZ!e9)O2J zT$ce<1}yphemXk$bE24;2!79Ivx1~x_py&Z2l(6$?edO7GcqTGQ?(Wj0;KxAG)-@Bw@% zaZ-f}q6RXbzx*@I+xyEa035=43=0rMP-{R4bpfZAhO(THHp2m_0`D!2C1GJ5S0oi$ zUi$<)rm~rG+L|7cR=IxU{@KICl0y}rFT(;`K>QEASVxJ36w3)pIPN2*dXS3L7oI>O8ywfh1#=1|A* zoCB5d)6MU6lB=?u!Ew({DZ_K^<#&G{>cD>mdl2y={Ru$$RkB^;Y=^yIAMQVcc;bLZ gW$W9Y=rS}o_UJZWFYyBl8CZeU|FDRG=1gPl1IImd7ytkO literal 0 HcmV?d00001 diff --git a/classes/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.class b/classes/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.class new file mode 100644 index 0000000000000000000000000000000000000000..f8364071e68f8ab9a23131d5faa71910056fc993 GIT binary patch literal 277 zcma)%K}rKb5Ji7yCYd-!^a3v2C0W>OLEIPxK@^O*@0pZC#hLCp zIe}I1i&r0t`rF^{9{^`KDA7Y!ARnQRfx*$zZJceLZ|r@wq&gZ5&e?OkFv!M}rvgKR zS&+uQu7rK_EUu%sATL&^3sE;#I<^l9=*DkC?IH(1Ct=s}hx%9Vt00lYAioR?GB~_t zPj~CCB6)OGtDABj)>6|oCm8?Z)@k}WKS7~kQW7OLrS;fI<_u% z1_lId<4F&f*{D91l>>!+Zh)H1e=A0f#us!>R-{vqY_5LBnX? literal 0 HcmV?d00001 diff --git a/classes/org/springframework/remoting/rmi/RmiServiceExporter.class b/classes/org/springframework/remoting/rmi/RmiServiceExporter.class new file mode 100644 index 0000000000000000000000000000000000000000..08ce93604f204bb11811759e43684c2cb4b2cac1 GIT binary patch literal 276 zcmX^0Z`VEs1_nz8UM>bE24;2!79Ivx1~x_p!~CLj{o;b6%)IopqQuB&W@ literal 0 HcmV?d00001 diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml new file mode 100644 index 00000000000..bf3cd82ec1e --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/codeql-database.yml @@ -0,0 +1,28 @@ +--- +sourceLocationPrefix: "/media/i504100/Artem_Flash_1T/codeql-bounties/codeql-repo/java/ql/src" +unicodeNewlines: false +columnKind: "utf16" +primaryLanguage: "java" +inProgress: + primaryLanguage: "java" + installedExtractors: + cpp: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/cpp/" + csharp: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/csharp/" + csv: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/csv/" + go: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/go/" + html: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/html/" + java: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/java/" + javascript: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/javascript/" + properties: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/properties/" + python: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/python/" + xml: + - "file:///media/i504100/Artem_Flash_1T/codeql-bounties/codeql-cli/xml/" diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log new file mode 100644 index 00000000000..09b089bd1c9 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-errors.log @@ -0,0 +1 @@ +[2021-06-14 08:53:54] [javac-extractor-9926] [ERROR] 10 errors were reported by javac. diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log new file mode 100644 index 00000000000..dce041fac87 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-extractor-9926.log @@ -0,0 +1,9 @@ +[2021-06-14 08:53:53] [javac-extractor-9926] Starting extraction for: + sun.java.command=com.semmle.extractor.java.JavaExtractor --javacOptions -source 8 --strict-javac-errors --encoding UTF-8 --files SafeMacComparison.java UnsafeMacComparison.java + user.dir=/media/i504100/Artem_Flash_1T/codeql-bounties/codeql-repo/java/ql/src/experimental/Security/CWE/CWE-208 +[2021-06-14 08:53:54] [javac-extractor-9926] Javac init time: 0.6s +[2021-06-14 08:53:54] [javac-extractor-9926] Javac attr time: 0.0s +[2021-06-14 08:53:54] [javac-extractor-9926] Extractor time: 0.0s +[2021-06-14 08:53:54] [javac-extractor-9926] Other time: 0.2s +[2021-06-14 08:53:54] [javac-extractor-9926] Total time: 0.7s +[2021-06-14 08:53:54] [javac-extractor-9926] [ERROR] 10 errors were reported by javac. diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log new file mode 100644 index 00000000000..9139106f478 --- /dev/null +++ b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/log/javac-output-9926.log @@ -0,0 +1,31 @@ +[2021-06-14 08:53:53] [javac-output-9926] warning: [options] bootstrap class path not set in conjunction with -source 8 +[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:1: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception { +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:3: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256")); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:4: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] byte[] actual = mac.doFinal(data); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:5: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] return MessageDigest.isEqual(expected, actual); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] SafeMacComparison.java:6: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] } +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:1: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception { +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:3: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256")); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:4: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] byte[] actual = mac.doFinal(data); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:5: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] return Arrays.equals(expected, actual); +[2021-06-14 08:53:53] [javac-output-9926] ^ +[2021-06-14 08:53:53] [javac-output-9926] UnsafeMacComparison.java:6: error: class, interface, or enum expected +[2021-06-14 08:53:53] [javac-output-9926] } +[2021-06-14 08:53:53] [javac-output-9926] ^ diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/trap/java/diagnostics/diagnostic.trap.gz b/java/ql/src/experimental/Security/CWE/CWE-208/CWE-208.testproj/trap/java/diagnostics/diagnostic.trap.gz new file mode 100644 index 0000000000000000000000000000000000000000..a2dcf3f461985ffcfc10d905f4397f25a13fa8b5 GIT binary patch literal 663 zcmV;I0%-joiwFP!00000|GigTZ`&Xgeech3UpC1f;P0rKw5eL(raiP%A0y_Fl*+Lk zpwqTrzl*VxbOE9$aUwa`oXfrETw}Q0Vg$cWpS@^J7mP$KLn(AcU$~^}`9n>_%N##N zRlA^@I{4YXHIh*=K6Bc&(JT2yqD>tMUPbhGM>$*5Mv^*uq}3Z|@=tXC{8e2+jLNYM zB^9#c?Q0}C>9h}sziL_`Sta)FLuC-I{(3i6yY5&`Bx@V-;kGC4UyHZ*aX9j)4BGXAls@Xl>4l1)rRGP(QQ-}ji?;ZzT`K5H3rQ{cq0_@fQK)SdDX*1#C0)&C= zW}D#hY_4Xa<+()1<$B;bJBO#4;_M8Hz;6FZlf)-ijz(hm)H-fQX4^9mI$9!_2^`zM zA>e-1Q~=sRh|^HA(NuWTJj#@YMhh6D=ZaU;NR7(*d) xTEt+Hm1vgYB2S!_$x&bFp~aFlOuW#=_9Pjqt4PZtOUn! action) throws Exception { + try (ServerSocket serverSocket = new ServerSocket(0)) { + try (Socket socket = serverSocket.accept()) { + byte[] bytes = new byte[1024]; + int n = socket.getInputStream().read(bytes); + String jexlExpr = new String(bytes, 0, n); + action.run(jexlExpr); + } + } + } +} + +interface Action { + void run(T object) throws Exception; +} + +abstract class PhoneNumber implements Serializable { + public int areaCode; + public int local; +} + +class DomesticNumber extends PhoneNumber { +} + +class InternationalNumber extends PhoneNumber { + public int countryCode; +} + +class Employee extends Person { +} + +class Person { + public String name; + public int age; + + // this annotation enables polymorphic type handling + @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) + public Object phone; +} + +class Task { + public Person assignee; +} + +class Tag implements Serializable { + public String title; +} + +class Cat { + public String name; + public Serializable tag; +} + +class UnsafePersonDeserialization { + + // BAD: Person has a field with an annotation that enables polymorphic type + // handling + private static void testUnsafeDeserialization() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.readValue(string, Person.class); + }); + } + + // BAD: Employee extends Person that has a field with an annotation that enables + // polymorphic type handling + private static void testUnsafeDeserializationWithExtendedClass() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.readValue(string, Employee.class); + }); + } + + // BAD: Task has a Person field that has a field with an annotation that enables + // polymorphic type handling + private static void testUnsafeDeserializationWithWrapper() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.readValue(string, Task.class); + }); + } +} + +class SaferPersonDeserialization { + + // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper + // has a validator + private static void testSafeDeserializationWithValidator() throws Exception { + JacksonTest.withSocket(string -> { + PolymorphicTypeValidator ptv = + BasicPolymorphicTypeValidator.builder() + .allowIfSubType("only.allowed.package") + .build(); + + ObjectMapper mapper = new ObjectMapper(); + mapper.setPolymorphicTypeValidator(ptv); + + mapper.readValue(string, Person.class); + }); + } + + // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper + // has a validator + private static void testSafeDeserializationWithValidatorAndBuilder() throws Exception { + JacksonTest.withSocket(string -> { + PolymorphicTypeValidator ptv = + BasicPolymorphicTypeValidator.builder() + .allowIfSubType("only.allowed.package") + .build(); + + ObjectMapper mapper = JsonMapper.builder() + .polymorphicTypeValidator(ptv) + .build(); + + mapper.readValue(string, Person.class); + }); + } +} + +class UnsafeCatDeserialization { + + // BAD: deserializing untrusted input while polymorphic type handling is on + private static void testUnsafeDeserialization() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.enableDefaultTyping(); // this enables polymorphic type handling + mapper.readValue(string, Cat.class); + }); + } + + // BAD: deserializing untrusted input while polymorphic type handling is on + private static void testUnsafeDeserializationWithObjectMapperReadValues() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.enableDefaultTyping(); + mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll(); + }); + } + + // BAD: deserializing untrusted input while polymorphic type handling is on + private static void testUnsafeDeserializationWithObjectMapperTreeToValue() throws Exception { + JacksonTest.withSocket(string -> { + ObjectMapper mapper = new ObjectMapper(); + mapper.enableDefaultTyping(); + mapper.treeToValue(mapper.readTree(string), Cat.class); + }); + } + + // BAD: an attacker can control both data and type of deserialized object + private static void testUnsafeDeserializationWithUnsafeClass() throws Exception { + JacksonTest.withSocket(input -> { + String[] parts = input.split(";"); + String data = parts[0]; + String type = parts[1]; + Class clazz = Class.forName(type); + ObjectMapper mapper = new ObjectMapper(); + mapper.readValue(data, clazz); + }); + } +} + +class SaferCatDeserialization { + + // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper + // has a validator + private static void testUnsafeDeserialization() throws Exception { + JacksonTest.withSocket(string -> { + PolymorphicTypeValidator ptv = + BasicPolymorphicTypeValidator.builder() + .allowIfSubType("only.allowed.pachage") + .build(); + + ObjectMapper mapper = JsonMapper.builder().polymorphicTypeValidator(ptv).build(); + mapper.enableDefaultTyping(); // this enables polymorphic type handling + + mapper.readValue(string, Cat.class); + }); + } +} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected index 7b02131cd73..dd220266013 100644 --- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected +++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected @@ -80,6 +80,22 @@ edges | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:87:3:87:13 | burlapInput | | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:91:3:91:14 | burlapInput1 | | C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | +| JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] | +| JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] | JacksonTest.java:21:28:21:35 | jexlExpr : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:73:32:73:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:82:32:82:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:91:32:91:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:138:32:138:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:147:32:147:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:156:32:156:37 | string : String | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:165:32:165:36 | input : String | +| JacksonTest.java:73:32:73:37 | string : String | JacksonTest.java:75:30:75:35 | string | +| JacksonTest.java:82:32:82:37 | string : String | JacksonTest.java:84:30:84:35 | string | +| JacksonTest.java:91:32:91:37 | string : String | JacksonTest.java:93:30:93:35 | string | +| JacksonTest.java:138:32:138:37 | string : String | JacksonTest.java:141:30:141:35 | string | +| JacksonTest.java:147:32:147:37 | string : String | JacksonTest.java:150:31:150:68 | createParser(...) | +| JacksonTest.java:156:32:156:37 | string : String | JacksonTest.java:159:32:159:54 | readTree(...) | +| JacksonTest.java:165:32:165:36 | input : String | JacksonTest.java:171:30:171:33 | data | | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | @@ -176,6 +192,23 @@ nodes | C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] | | C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput | | C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 | +| JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| JacksonTest.java:21:28:21:35 | jexlExpr : String | semmle.label | jexlExpr : String | +| JacksonTest.java:73:32:73:37 | string : String | semmle.label | string : String | +| JacksonTest.java:75:30:75:35 | string | semmle.label | string | +| JacksonTest.java:82:32:82:37 | string : String | semmle.label | string : String | +| JacksonTest.java:84:30:84:35 | string | semmle.label | string | +| JacksonTest.java:91:32:91:37 | string : String | semmle.label | string : String | +| JacksonTest.java:93:30:93:35 | string | semmle.label | string | +| JacksonTest.java:138:32:138:37 | string : String | semmle.label | string : String | +| JacksonTest.java:141:30:141:35 | string | semmle.label | string | +| JacksonTest.java:147:32:147:37 | string : String | semmle.label | string : String | +| JacksonTest.java:150:31:150:68 | createParser(...) | semmle.label | createParser(...) | +| JacksonTest.java:156:32:156:37 | string : String | semmle.label | string : String | +| JacksonTest.java:159:32:159:54 | readTree(...) | semmle.label | readTree(...) | +| JacksonTest.java:165:32:165:36 | input : String | semmle.label | input : String | +| JacksonTest.java:171:30:171:33 | data | semmle.label | data | | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream | | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) | | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream | @@ -226,4 +259,11 @@ nodes | C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization of $@. | C.java:79:43:79:70 | getParameter(...) | user input | | C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input | | C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input | +| JacksonTest.java:75:13:75:50 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:75:30:75:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:84:13:84:52 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:84:30:84:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:93:13:93:48 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:93:30:93:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:141:13:141:47 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:141:30:141:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:150:13:150:80 | readValues(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:150:31:150:68 | createParser(...) | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:159:13:159:66 | treeToValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:159:32:159:54 | readTree(...) | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | +| JacksonTest.java:171:13:171:41 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:171:30:171:33 | data | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input | | TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input | diff --git a/java/ql/test/query-tests/security/CWE-502/options b/java/ql/test/query-tests/security/CWE-502/options index 03027487dce..fc5cac9e843 100644 --- a/java/ql/test/query-tests/security/CWE-502/options +++ b/java/ql/test/query-tests/security/CWE-502/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.10 diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/annotation/JsonTypeInfo.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/annotation/JsonTypeInfo.java new file mode 100644 index 00000000000..605c313607e --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/annotation/JsonTypeInfo.java @@ -0,0 +1,27 @@ +package com.fasterxml.jackson.annotation; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Target({ElementType.ANNOTATION_TYPE, ElementType.TYPE, ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER}) +@Retention(RetentionPolicy.RUNTIME) +public @interface JsonTypeInfo { + JsonTypeInfo.Id use(); + + public static enum Id { + CLASS("@class"), + MINIMAL_CLASS("@c"); + + private final String _defaultPropertyName; + + private Id(String defProp) { + this._defaultPropertyName = defProp; + } + + public String getDefaultPropertyName() { + return this._defaultPropertyName; + } + } +} diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonFactory.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonFactory.java index 06f71ab187d..12696cd4397 100644 --- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonFactory.java +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonFactory.java @@ -9,4 +9,8 @@ public class JsonFactory { public JsonGenerator createGenerator(Writer writer) { return new JsonGenerator(); } + + public JsonParser createParser(String content) { + return null; + } } diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonParser.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonParser.java new file mode 100644 index 00000000000..2c5527d50ab --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonParser.java @@ -0,0 +1,3 @@ +package com.fasterxml.jackson.core; + +public abstract class JsonParser {} diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/TreeNode.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/TreeNode.java new file mode 100644 index 00000000000..0d89838457a --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/TreeNode.java @@ -0,0 +1,3 @@ +package com.fasterxml.jackson.core; + +public interface TreeNode {} diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java index b04572cd4da..06602e943f5 100644 --- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java @@ -1,8 +1,8 @@ package com.fasterxml.jackson.databind; import java.util.*; +import com.fasterxml.jackson.core.TreeNode; -public abstract class JsonNode implements Iterable { - public JsonNode() { - } +public abstract class JsonNode implements TreeNode, Iterable { + public JsonNode() {} } diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java index ac427ef01c9..929676e6456 100644 --- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java @@ -25,4 +25,8 @@ public class MappingIterator implements Iterator, Closeable { public void close() throws IOException { } + + public List readAll() { + return null; + } } diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java index 71dc99a351d..ed17a18935e 100644 --- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java @@ -1,5 +1,8 @@ package com.fasterxml.jackson.databind; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.TreeNode; +import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator; import java.io.*; import java.util.*; @@ -38,4 +41,28 @@ public class ObjectMapper { public T convertValue(Object fromValue, Class toValueType) throws IllegalArgumentException { return null; } + + public ObjectMapper setPolymorphicTypeValidator(PolymorphicTypeValidator ptv) { + return null; + } + + public ObjectMapper enableDefaultTyping() { + return null; + } + + public T readValue(String content, Class valueType) { + return null; + } + + public MappingIterator readValues(JsonParser p, Class valueType) { + return null; + } + + public T treeToValue(TreeNode n, Class valueType) { + return null; + } + + public JsonNode readTree(String content) { + return null; + } } diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/cfg/MapperBuilder.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/cfg/MapperBuilder.java new file mode 100644 index 00000000000..db2c24c4362 --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/cfg/MapperBuilder.java @@ -0,0 +1,9 @@ +package com.fasterxml.jackson.databind.cfg; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator; + +public abstract class MapperBuilder> { + public M build() { return null; } + public B polymorphicTypeValidator(PolymorphicTypeValidator ptv) { return null; } +} diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/json/JsonMapper.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/json/JsonMapper.java new file mode 100644 index 00000000000..adec92a9210 --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/json/JsonMapper.java @@ -0,0 +1,9 @@ +package com.fasterxml.jackson.databind.json; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.cfg.MapperBuilder; + +public class JsonMapper extends ObjectMapper { + public static JsonMapper.Builder builder() { return null; } + public static class Builder extends MapperBuilder {} +} \ No newline at end of file diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.java new file mode 100644 index 00000000000..243cd467b4b --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/BasicPolymorphicTypeValidator.java @@ -0,0 +1,10 @@ +package com.fasterxml.jackson.databind.jsontype; + +public class BasicPolymorphicTypeValidator extends PolymorphicTypeValidator { + public static BasicPolymorphicTypeValidator.Builder builder() { return null; } + + public static class Builder { + public BasicPolymorphicTypeValidator.Builder allowIfSubType(final String prefixForSubType) { return null; } + public BasicPolymorphicTypeValidator build() { return null; } + } +} diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.java new file mode 100644 index 00000000000..37e68d2c429 --- /dev/null +++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/jsontype/PolymorphicTypeValidator.java @@ -0,0 +1,3 @@ +package com.fasterxml.jackson.databind.jsontype; + +public abstract class PolymorphicTypeValidator {}