Description
Description of the issue
Looking at all the results that "Deserialization of user-controlled data" returns, from Alibaba JSON.parseObject, to Kryo, to XStream, to Java Deserialization, the results are all over the place. But the advice is incredibly simplistic and only provides a single example on how to fix this.
https://codeql.github.com/codeql-query-help/java/java-unsafe-deserialization/
Deserialization of user-controlled data has a massive impact, usually RCE, but the documentation on how, or even why, you might need to fix it, is basically completely missing.
The one example ObjectInputStream is useful, but how do I fix Kryo, how do I fix Alibaba JSON, how does CodeQL know that a given ObjectMapper from Jackson is configured to be vulnerable? None of this information is captured either in the documentation, or in the query results (for example, what ObjectMapper has enableDefaultTyping() enabled).
I'm a security researcher, and I know how these are vulnerable, but scrolling through the results on LGTM.com (which I know is about to die), most of these, I don't know how I'd fix them.
Additionally, you see results like JSON.parseObject(httpResponse.getHttpContentString()) getting flagged, and from what I can see from documentation, this was potentially fixed? Maybe? I though CodeQL had a policy against flagging vulnerabilities that can be fixed with a dependency update. Why this is getting flagged is inherently unclear.
https://jfrog.com/blog/cve-2022-25845-analyzing-the-fastjson-auto-type-bypass-rce-vulnerability/
In summary, this is a significant vulnerability finding, with potentially massive impact, but the CodeQL documentation doesn't do it justice, and doesn't give valuable information to the end user on determining if they are truly vulnerable, and then how to fix it.