hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

[Java] Add data flow through Iterator deserializers for Jackson

Browse Source
This commit is contained in:
Jonathan Leitschuh
2021-05-03 12:02:40 -04:00
parent 56b1f15dda
commit d0638db6e7
4 changed files with 104 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
java/ql/test/library-tests/dataflow/taint-jackson/Test.java
View File

@@ -3,6 +3,7 @@ import java.io.FileOutputStream;
import java.io.OutputStream;
import java.io.StringWriter;
import java.io.Writer;
import java.util.Iterator;
import com.fasterxml.jackson.core.JsonFactory;
import com.fasterxml.jackson.core.JsonGenerator;
@@ -79,4 +80,18 @@ class Test {
sink(reader.readValue(s, Potato.class).name); //$hasTaintFlow
sink(reader.readValue(s, Potato.class).getName()); //$hasTaintFlow
}
public static void jacksonObjectReaderIterable() throws java.io.IOException {
String s = taint();
ObjectMapper om = new ObjectMapper();
ObjectReader reader = om.readerFor(Potato.class);
sink(reader.readValues(s)); //$hasTaintFlow
Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
while(pIterator.hasNext()) {
Potato p = pIterator.next();
sink(p); //$hasTaintFlow
sink(p.name); //$hasTaintFlow
sink(p.getName()); //$hasTaintFlow
}
}
}