hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Add TypeObjectInputStream

Browse Source
This commit is contained in:
Marcono1234
2021-10-11 01:07:05 +02:00
parent a74d423d82
commit b009886664
6 changed files with 26 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/semmle/code/java/JDK.qll
View File

@@ -156,6 +156,11 @@ class TypeObjectOutputStream extends RefType {
TypeObjectOutputStream() { hasQualifiedName("java.io", "ObjectOutputStream") }
}
/** The type `java.io.ObjectInputStream`. */
class TypeObjectInputStream extends RefType {
TypeObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
}
/** The class `java.nio.file.Paths`. */
class TypePaths extends Class {
TypePaths() { this.hasQualifiedName("java.nio.file", "Paths") }
@@ -275,7 +280,7 @@ class WriteObjectMethod extends Method {
*/
class ReadObjectMethod extends Method {
ReadObjectMethod() {
this.getDeclaringType().hasQualifiedName("java.io", "ObjectInputStream") and
this.getDeclaringType() instanceof TypeObjectInputStream and
(
this.hasName("readObject") or
this.hasName("readObjectOverride") or

2
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -269,7 +269,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
m.getName() = "toString"
)
or
m.getDeclaringType().hasQualifiedName("java.io", "ObjectInputStream") and
m.getDeclaringType() instanceof TypeObjectInputStream and
m.getName().matches("read%")
or
m instanceof GetterMethod and

65
java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll
View File

@@ -299,10 +299,7 @@ class RuntimeExitOrHaltMethod extends Method {
(this.hasName("exit") or this.hasName("halt")) and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(PrimitiveType).hasName("int") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.lang", "Runtime")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeRuntime
}
}
@@ -315,10 +312,7 @@ class RuntimeAddOrRemoveShutdownHookMethod extends Method {
(this.hasName("addShutdownHook") or this.hasName("removeShutdownHook")) and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(RefType).hasQualifiedName("java.lang", "Thread") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.lang", "Runtime")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeRuntime
}
}
@@ -414,33 +408,29 @@ class ForbiddenSerializationMethod extends Method {
/**
* A method named `enableReplaceObject` declared in
* the class `java.io.ObjectInputStream` or a subclass thereof.
* the class `java.io.ObjectOutputStream` or a subclass thereof.
*/
class EnableReplaceObjectMethod extends Method {
EnableReplaceObjectMethod() {
this.hasName("enableReplaceObject") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(PrimitiveType).hasName("boolean") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectOutputStream")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof
TypeObjectOutputStream
}
}
/**
* A method named `replaceObject` declared in
* the class `java.io.ObjectInputStream` or a subclass thereof.
* the class `java.io.ObjectOutputStream` or a subclass thereof.
*/
class ReplaceObjectMethod extends Method {
ReplaceObjectMethod() {
this.hasName("replaceObject") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeObject and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectOutputStream")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof
TypeObjectOutputStream
}
}
@@ -453,10 +443,7 @@ class EnableResolveObjectMethod extends Method {
this.hasName("enableResolveObject") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(PrimitiveType).hasName("boolean") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectInputStream")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeObjectInputStream
}
}
@@ -469,10 +456,7 @@ class ResolveObjectMethod extends Method {
this.hasName("resolveObject") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeObject and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectInputStream")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeObjectInputStream
}
}
@@ -485,10 +469,7 @@ class ResolveClassMethod extends Method {
this.hasName("resolveClass") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(RefType).hasQualifiedName("java.io", "ObjectStreamClass") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectInputStream")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeObjectInputStream
}
}
@@ -500,16 +481,8 @@ class ResolveProxyClassMethod extends Method {
ResolveProxyClassMethod() {
this.hasName("resolveProxyClass") and
this.getNumberOfParameters() = 1 and
this.getParameter(0)
.getType()
.(Array)
.getComponentType()
.(RefType)
.hasQualifiedName("java.lang", "String") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.io", "ObjectInputStream")
this.getParameter(0).getType().(Array).getComponentType() instanceof TypeString and
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeObjectInputStream
}
}
@@ -598,16 +571,13 @@ class SystemOrRuntimeLoadLibraryMethod extends Method {
SystemOrRuntimeLoadLibraryMethod() {
(this.hasName("load") or this.hasName("loadLibrary")) and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType().(RefType).hasQualifiedName("java.lang", "String") and
this.getParameter(0).getType() instanceof TypeString and
(
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.lang", "System") or
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.lang", "Runtime")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeRuntime
)
}
}
@@ -619,9 +589,6 @@ class SystemOrRuntimeLoadLibraryMethod extends Method {
class RuntimeExecMethod extends Method {
RuntimeExecMethod() {
this.hasName("exec") and
this.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.lang", "Runtime")
this.getDeclaringType().getASupertype*().getSourceDeclaration() instanceof TypeRuntime
}
}

2
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -22,7 +22,7 @@ private import semmle.code.java.Reflection
private class ObjectInputStreamReadObjectMethod extends Method {
ObjectInputStreamReadObjectMethod() {
this.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.io", "ObjectInputStream") and
this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInputStream and
(this.hasName("readObject") or this.hasName("readUnshared"))
}
}

2
java/ql/src/Likely Bugs/Concurrency/SynchWriteObject.ql
View File

@@ -20,7 +20,7 @@ where
m.getDeclaringType().getASupertype*() instanceof TypeSerializable and
m.hasName("writeObject") and
m.getNumberOfParameters() = 1 and
m.getAParamType().(Class).hasQualifiedName("java.io", "ObjectOutputStream") and
m.getAParamType() instanceof TypeObjectOutputStream and
m.isSynchronized() and
not exists(Method s |
m.getDeclaringType().inherits(s) and

2
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
View File

@@ -39,7 +39,7 @@ private predicate hasVulnerableMethod(RefType type) {
|
not parameterType instanceof PrimitiveType and
not parameterType instanceof TypeString and
not parameterType.(RefType).hasQualifiedName("java.io", "ObjectInputStream")
not parameterType instanceof TypeObjectInputStream
)
}