hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-ognl-injection

Browse Source
This commit is contained in:
Tony Torralba
2021-05-19 10:41:08 +02:00
parent 1815656a02 0c970b5f1f
commit e58746508d
198 changed files with 13516 additions and 3965 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
java/ql/test/query-tests/security/CWE-502/KryoTest.java Normal file
View File

@@ -0,0 +1,34 @@
import java.io.*;
import java.net.Socket;
import com.esotericsoftware.kryo.Kryo;
import com.esotericsoftware.kryo.pool.KryoPool;
import com.esotericsoftware.kryo.io.Input;
public class KryoTest {
private Kryo getSafeKryo() {
Kryo kryo = new Kryo();
kryo.setRegistrationRequired(true);
// ... kryo.register(A.class) ...
return kryo;
}
public void kryoDeserialize(Socket sock) throws java.io.IOException {
KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
Input input = new Input(sock.getInputStream());
Object o = kryoPool.run(kryo -> kryo.readClassAndObject(input)); // OK
}
public void kryoDeserialize2(Socket sock) throws java.io.IOException {
KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
Input input = new Input(sock.getInputStream());
Kryo k = kryoPool.borrow();
try {
Object o = k.readClassAndObject(input); // OK
} finally {
kryoPool.release(k);
}
}
}