Look for remote callable method only in RmiUnsafeDeserialization.ql

2026-04-30 11:15:13 +02:00 · 2021-05-17 13:19:08 +02:00
parent 0182dfe1c0
commit e28f919f3d
4 changed files with 13 additions and 11 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
@@ -1,7 +1,7 @@
 public class Server {
    public static void main(String... args) throws Exception {
        Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("unsafe", new RemoteObjectImpl());
+        registry.bind("safe", new RemoteObjectImpl());
    }
 }

--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.frameworks.Rmi

-private class ObjectInputStream extends RefType {
+private class ObjectInputStream extends Class {
  ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
 }

@@ -35,9 +35,8 @@ private class BindMethod extends Method {
 /**
 * Looks for a vulnerable method in a `Remote` object.
 */
-private Method getVulnerableMethod(Type type) {
-  type.(RefType).getASupertype*() instanceof TypeRemote and
-  exists(Method m, Type parameterType |
+private Method getVulnerableMethod(RefType type) {
+  exists(RemoteCallableMethod m, Type parameterType |
    m.getDeclaringType() = type and parameterType = m.getAParamType()
  |
    not parameterType instanceof PrimitiveType and
@@ -61,5 +60,7 @@ private class UnsafeRmiBinding extends MethodAccess {
  Method getVulnerableMethod() { result = vulnerableMethod }
 }

-from UnsafeRmiBinding call
-select call, "Unsafe deserialization with RMI in '" + call.getVulnerableMethod() + "' method"
+from UnsafeRmiBinding call, Method vulnerableMethod
+where vulnerableMethod = call.getVulnerableMethod()
+select call, "Unsafe deserialization with RMI in '$@' method", vulnerableMethod,
+  vulnerableMethod.getStringSignature()
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
@@ -1,4 +1,4 @@
-| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
@@ -54,4 +54,5 @@ class SafeRemoteObject implements SafeRemoteObjectInterface {
    public void take(double n) throws RemoteException {}
    public void take(String s) throws RemoteException {}
    public void take(ObjectInputStream ois) throws RemoteException {}
+    public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObjectInterface
 }