hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.21.0
codeql/java/ql/test/query-tests/security/CWE-502/GsonServlet.java
Chris Smowton cd2c9e9ca3 Add Gson support to unsafe deserialization query
2021-10-12 12:35:04 +01:00

77 lines
2.9 KiB
Java
Raw Permalink Blame History

import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.typeadapters.RuntimeTypeAdapterFactory;
import com.example.User;
import com.thirdparty.Person;
public class GsonServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
// GOOD: concrete class type specified
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
Gson gson = new Gson();
Object obj = gson.fromJson(json, User.class);
}
@Override
// GOOD: concrete class type specified
public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
Gson gson = new Gson();
Object obj = gson.fromJson(json, Person.class);
}
@Override
// BAD: allow class name to be controlled by remote source
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
Gson gson = new Gson();
Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization
} catch (ClassNotFoundException cne) {
throw new IOException(cne.getMessage());
}
}
@Override
// BAD: allow class name to be controlled by remote source even with a type adapter factory
public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
RuntimeTypeAdapterFactory<User> runtimeTypeAdapterFactory = RuntimeTypeAdapterFactory
.of(User.class, "type");
Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create();
Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization
} catch (ClassNotFoundException cne) {
throw new IOException(cne.getMessage());
}
}
@Override
// GOOD: specify allowed class types without explicitly configured vulnerable subclass types
public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
RuntimeTypeAdapterFactory<Person> runtimeTypeAdapterFactory = RuntimeTypeAdapterFactory
.of(Person.class, "type");
Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create();
Person obj = gson.fromJson(json, Person.class);
}
}
Reference in New Issue View Git Blame Copy Permalink