[Java] Jackson add support for 2 step deserialization taint flow

2026-04-30 11:15:13 +02:00 · 2021-05-10 17:20:14 -04:00
parent e97bad3b33
commit bacc3ef5b3
5 changed files with 38 additions and 1 deletions
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -77,6 +77,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.ApacheHttp
  private import semmle.code.java.frameworks.apache.Lang
  private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.jackson.JacksonSerializability
  private import semmle.code.java.security.ResponseSplitting
  private import semmle.code.java.security.XSS
  private import semmle.code.java.security.LdapInjection
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -9,6 +9,7 @@ import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
 import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow

 /**
 * A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
@@ -275,3 +276,13 @@ class JacksonMixedInCallable extends Callable {
    )
  }
 }
+
+private class JacksonModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -4,9 +4,12 @@ import java.io.OutputStream;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.util.Iterator;
+import java.util.HashMap;
+import java.util.Map;

 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
 import com.fasterxml.jackson.databind.ObjectReader;
@@ -94,4 +97,16 @@ class Test {
 			sink(p.getName()); //$hasTaintFlow
 		}
 	}
+
+	public static void jacksonTwoStepDeserialization() throws java.io.IOException {
+		String s = taint();
+		Map<String, Object> taintedParams = new HashMap<>();
+		taintedParams.put("name", s);
+		ObjectMapper om = new ObjectMapper();
+		JsonNode jn = om.valueToTree(taintedParams);
+		sink(jn); //$hasTaintFlow
+		Potato p = om.convertValue(jn, Potato.class);
+		sink(p); //$hasTaintFlow
+		sink(p.getName()); //$hasTaintFlow
+	}
 }
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
@@ -1,6 +1,8 @@
 package com.fasterxml.jackson.databind;

-public class JsonNode {
+import java.util.*;
+
+public abstract class JsonNode implements Iterable<JsonNode> {
    public JsonNode() {
    }
 }
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
@@ -30,4 +30,12 @@ public class ObjectMapper {
  public ObjectReader readerFor(Class<?> type) {
    return null;
  }
+
+  public <T extends JsonNode> T valueToTree(Object fromValue) throws IllegalArgumentException {
+    return null;
+  }
+
+  public <T> T convertValue(Object fromValue, Class<T> toValueType) throws IllegalArgumentException {
+    return null;
+  }
 }