mirror of
https://github.com/github/codeql.git
synced 2025-12-17 09:13:20 +01:00
122 lines
4.8 KiB
Java
122 lines
4.8 KiB
Java
package unsafedeserialization;
|
|
|
|
import java.io.*;
|
|
import java.net.Socket;
|
|
import java.beans.XMLDecoder;
|
|
import com.example.MyObjectInput;
|
|
import com.thoughtworks.xstream.XStream;
|
|
import com.esotericsoftware.kryo.Kryo;
|
|
import com.esotericsoftware.kryo.io.Input;
|
|
import org.yaml.snakeyaml.constructor.SafeConstructor;
|
|
import org.yaml.snakeyaml.constructor.Constructor;
|
|
import org.yaml.snakeyaml.Yaml;
|
|
import org.nibblesec.tools.SerialKiller;
|
|
|
|
public class A {
|
|
public Object deserialize1a(Socket sock) throws java.io.IOException, ClassNotFoundException {
|
|
InputStream inputStream = sock.getInputStream(); // $ Source
|
|
ObjectInputStream in = new ObjectInputStream(inputStream);
|
|
return in.readObject(); // $ Alert
|
|
}
|
|
|
|
public Object deserialize2() throws java.io.IOException, ClassNotFoundException {
|
|
ObjectInput objectInput = A.getTaintedObjectInput(); // $ Source
|
|
return objectInput.readObject(); // $ Alert
|
|
}
|
|
|
|
public Object deserialize3() throws java.io.IOException, ClassNotFoundException {
|
|
MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ Source
|
|
return objectInput.readObject(); // $ Alert
|
|
}
|
|
|
|
public Object deserialize4(Socket sock) throws java.io.IOException, ClassNotFoundException {
|
|
InputStream inputStream = sock.getInputStream(); // $ Source
|
|
ObjectInputStream in = new ObjectInputStream(inputStream);
|
|
return in.readUnshared(); // $ Alert
|
|
}
|
|
|
|
public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOException, ClassNotFoundException {
|
|
InputStream inputStream = sock.getInputStream();
|
|
ObjectInputStream in = new SerialKiller(inputStream, "/etc/serialkiller.conf");
|
|
return in.readUnshared(); // OK
|
|
}
|
|
|
|
public Object deserialize5(Socket sock) throws java.io.IOException {
|
|
InputStream inputStream = sock.getInputStream(); // $ Source
|
|
XMLDecoder d = new XMLDecoder(inputStream);
|
|
return d.readObject(); // $ Alert
|
|
}
|
|
|
|
public Object deserialize6(Socket sock) throws java.io.IOException {
|
|
XStream xs = new XStream();
|
|
InputStream inputStream = sock.getInputStream(); // $ Source
|
|
Reader reader = new InputStreamReader(inputStream);
|
|
return xs.fromXML(reader); // $ Alert
|
|
}
|
|
|
|
public void deserialize7(Socket sock) throws java.io.IOException {
|
|
Kryo kryo = new Kryo();
|
|
Input input = new Input(sock.getInputStream()); // $ Source
|
|
A a1 = kryo.readObject(input, A.class); // $ Alert
|
|
A a2 = kryo.readObjectOrNull(input, A.class); // $ Alert
|
|
Object o = kryo.readClassAndObject(input); // $ Alert
|
|
}
|
|
|
|
private Kryo getSafeKryo() throws java.io.IOException {
|
|
Kryo kryo = new Kryo();
|
|
kryo.setRegistrationRequired(true);
|
|
// ... kryo.register(A.class) ...
|
|
return kryo;
|
|
}
|
|
|
|
public void deserialize8(Socket sock) throws java.io.IOException {
|
|
Kryo kryo = getSafeKryo();
|
|
Input input = new Input(sock.getInputStream());
|
|
Object o = kryo.readClassAndObject(input); // OK
|
|
}
|
|
|
|
public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
|
|
Yaml yaml = new Yaml();
|
|
InputStream input = sock.getInputStream(); // $ Source
|
|
Object o = yaml.load(input); // $ Alert
|
|
Object o2 = yaml.loadAll(input); // $ Alert
|
|
Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
|
|
A o4 = yaml.loadAs(input, A.class); // $ Alert
|
|
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
|
|
}
|
|
|
|
public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
|
|
Yaml yaml = new Yaml(new Constructor());
|
|
InputStream input = sock.getInputStream(); // $ Source
|
|
Object o = yaml.load(input); // $ Alert
|
|
Object o2 = yaml.loadAll(input); // $ Alert
|
|
Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
|
|
A o4 = yaml.loadAs(input, A.class); // $ Alert
|
|
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
|
|
}
|
|
|
|
public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
|
|
Yaml yaml = new Yaml(new SafeConstructor());
|
|
InputStream input = sock.getInputStream();
|
|
Object o = yaml.load(input); //OK
|
|
Object o2 = yaml.loadAll(input); //OK
|
|
Object o3 = yaml.parse(new InputStreamReader(input)); //OK
|
|
A o4 = yaml.loadAs(input, A.class); //OK
|
|
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //OK
|
|
}
|
|
|
|
public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
|
|
Yaml yaml = new Yaml(new Constructor(A.class));
|
|
InputStream input = sock.getInputStream(); // $ Source
|
|
Object o = yaml.load(input); // $ Alert
|
|
Object o2 = yaml.loadAll(input); // $ Alert
|
|
Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
|
|
A o4 = yaml.loadAs(input, A.class); // $ Alert
|
|
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
|
|
}
|
|
|
|
static ObjectInput getTaintedObjectInput() { return null; }
|
|
|
|
static MyObjectInput getTaintedMyObjectInput() { return null; }
|
|
}
|