Add SerialKiller model

java/ql/test/query-tests/security/CWE-502/A.java

@@ -7,6 +7,7 @@ import com.esotericsoftware.kryo.io.Input;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.Yaml;
+import org.nibblesec.tools.SerialKiller;
 
 public class A {
   public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
@@ -21,6 +22,12 @@ public class A {
     return in.readUnshared(); // $unsafeDeserialization
   }
 
+  public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOException, ClassNotFoundException {
+    InputStream inputStream = sock.getInputStream();
+    ObjectInputStream in = new SerialKiller(inputStream, "/etc/serialkiller.conf");
+    return in.readUnshared(); // OK
+  }
+
   public Object deserialize3(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     XMLDecoder d = new XMLDecoder(inputStream);

java/ql/test/query-tests/security/CWE-502/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/jabsorb-1.3.2:${testdir}/../../../stubs/json-java-20210307:${testdir}/../../../stubs/joddjson-6.0.3:${testdir}/../../../stubs/flexjson-2.1:${testdir}/../../../stubs/gson-2.8.6:${testdir}/../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/jabsorb-1.3.2:${testdir}/../../../stubs/json-java-20210307:${testdir}/../../../stubs/joddjson-6.0.3:${testdir}/../../../stubs/flexjson-2.1:${testdir}/../../../stubs/gson-2.8.6:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/serialkiller-4.0.0

java/ql/test/stubs/serialkiller-4.0.0/org/nibblesec/tools/SerialKiller.java

@@ -0,0 +1,23 @@
+/*
+ * SerialKiller.java
+ *
+ * Copyright (c) 2015-2016 Luca Carettoni
+ *
+ * SerialKiller is an easy-to-use look-ahead Java deserialization library
+ * to secure application from untrusted input. When Java serialization is
+ * used to exchange information between a client and a server, attackers
+ * can replace the legitimate serialized stream with malicious data.
+ * SerialKiller inspects Java classes during naming resolution and allows
+ * a combination of blacklisting/whitelisting to secure your application.
+ *
+ * Dual-Licensed Software: Apache v2.0 and GPL v2.0
+ */
+package org.nibblesec.tools;
+
+import java.io.ObjectInputStream;
+import java.io.InputStream;
+import java.io.IOException;
+
+public class SerialKiller extends ObjectInputStream {
+    public SerialKiller(InputStream inputStream, String configFile) throws IOException {}
+}