hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'unsafe-jackson-deserialization' of github.com:artem-smotrakov/ql into unsafe-jackson-deserialization

Browse Source
This commit is contained in:
Artem Smotrakov
2021-07-16 18:26:38 +02:00
parent 3856527d14 1b3516ab94
commit c367c7e33b
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/semmle/code/java/frameworks/JacksonQuery.qll
View File

@@ -64,7 +64,7 @@ private class ObjectMapperReadQualifier extends DataFlow::ExprNode {
/** A source that sets a type validator. */
private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
SetPolymorphicTypeValidatorSource() {
exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
exists(MethodAccess ma, Method m | m = ma.getMethod() |
(
m.getDeclaringType() instanceof ObjectMapper and
m.hasName("setPolymorphicTypeValidator")
@@ -72,7 +72,7 @@ private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
m.getDeclaringType() instanceof MapperBuilder and
m.hasName("polymorphicTypeValidator")
) and
this.asExpr() = q
this.asExpr() = ma.getQualifier()
)
}
}
@@ -120,7 +120,7 @@ class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {
}
/**
* Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,
* Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,
* including across builder method calls.
*
* Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.