Skip to content

Java: CWE-502 Add UnsafeDeserialization sinks #5881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jun 17, 2021
Merged

Java: CWE-502 Add UnsafeDeserialization sinks #5881

merged 10 commits into from
Jun 17, 2021

Conversation

haby0
Copy link
Contributor

@haby0 haby0 commented May 12, 2021

In the study of Java deserialization vulnerabilities, some sinks were recorded. This pr adds these sinks to the CodeQL query. A total of 8 sinks have been added.

Mainly known: JYaml.load, JsonReader.jsonToJava, YamlReader.read, HessianInput.readObject, Hessian2Input.readObject, Unmarshaller.unmarshal, BurlapInput.readObject. There are also some sink points not mentioned: YamlConfig.load,JsonReader.readObject.

@haby0 haby0 requested a review from a team as a code owner May 12, 2021 05:01
@haby0 haby0 mentioned this pull request May 13, 2021
Closed
1 task
smowton
smowton reviewed May 13, 2021
View reviewed changes
java/ql/src/semmle/code/java/frameworks/Hessian.qll Outdated
/**
* The class `com.caucho.hessian.io.HessianInput` or `com.caucho.hessian.io.Hessian2Input`.
*/
class UnSafeHessianInput extends RefType {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class UnSafeHessianInput extends RefType {
class UnsafeHessianInput extends RefType {

And similarly elsewhere

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

java/ql/src/semmle/code/java/frameworks/JYaml.qll Outdated
* A JYaml unsafe load method. This is either `YAML.load` or
* `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
*/
class JYamlUnSafeLoadMethod extends Method {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class JYamlUnSafeLoadMethod extends Method {
class JYamlUnsafeLoadMethod extends Method {

And similarly elsewhere

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll Outdated
@@ -50,6 +55,29 @@ class SafeKryo extends DataFlow2::Configuration {
}
}

class SafeJsonIo extends DataFlow2::Configuration {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class SafeJsonIo extends DataFlow2::Configuration {
class SafeJsonIoConfig extends DataFlow2::Configuration {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also missing qldoc

java/ql/test/query-tests/security/CWE-502/C.java
}

@GetMapping(value = "jsonio")
public void bad2(HttpServletRequest request) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename test case (it contains both good and bad cases)

smowton
smowton reviewed May 13, 2021
View reviewed changes
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql Outdated
cie.getConstructor().getDeclaringType() instanceof JsonReader and
cie.getArgument(0) = prod.asExpr() and
cie = succ.asExpr() and
not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the other similar exclusion would be better expressed using isSanitizer

smowton
smowton reviewed May 13, 2021
View reviewed changes
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql Outdated
not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
)
or
exists(ClassInstanceExpr cie |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once the not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1))) has been moved to isSanitizer, you can factor this like

exists(ClassInstanceExpr cie |
      cie.getArgument(0) = prod.asExpr() and
      cie = succ.asExpr() and
(
      cie.getConstructor().getDeclaringType() instanceof YamlReader or
      cie.getConstructor().getDeclaringType() instanceof JsonReader or
      ...
)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion.

pwntester
pwntester reviewed May 14, 2021
View reviewed changes
java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll Outdated
@@ -50,6 +55,29 @@ class SafeKryo extends DataFlow2::Configuration {
}
}

class SafeJsonIo extends DataFlow2::Configuration {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be moved to the JsonIO.qll lib

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haha, I see other tracing flows are in this qll file, so put it here.

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -21,6 +21,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }

override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
exists(ClassInstanceExpr cie |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@smowton, is ClassInstanceExpr preferred over ConstructorCall? I find the later more readable but it seems the former is a subtype of the later.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ConstructorCall includes super(...) and this(...), while ClassInstanceExpr is strictly new XYZ(...)

java/ql/src/semmle/code/java/frameworks/Castor.qll Outdated
/**
* The class `org.exolab.castor.xml.Unmarshaller`.
*/
class Unmarshaller extends RefType {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rename to CastorUnmarshaller, otherwise, its not clear what lib this class belongs to when reading UnsafeDeserialization

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

java/ql/src/semmle/code/java/frameworks/Hessian.qll Outdated
*/
class UnSafeHessianInput extends RefType {
UnSafeHessianInput() {
this.hasQualifiedName("com.caucho.hessian.io", ["HessianInput", "Hessian2Input"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
this.hasQualifiedName("com.caucho.hessian.io", ["HessianInput", "Hessian2Input"])
this.hasQualifiedName(["com.caucho.hessian.io", "com.alibaba.com.caucho.hessian.io"], ["AbstractHessianInput", "Hessian2StreamingInput"])

Ive used this in the past, I think it covers more classes

java/ql/src/semmle/code/java/frameworks/Hessian.qll Outdated
*/
class UnSafeHessianInputReadObjectMethod extends Method {
UnSafeHessianInputReadObjectMethod() {
this.getDeclaringType() instanceof UnSafeHessianInput and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using the above suggestion, this one should account for getASupertype*()

java/ql/src/semmle/code/java/frameworks/Hessian.qll Outdated
* Provides classes and predicates for working with the Hession framework.
*/

import java
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps rename this file to HessianBurlap and adapt file top comment

java/ql/src/semmle/code/java/frameworks/YamlBeans.qll Outdated
/**
* The class `com.esotericsoftware.yamlbeans.YamlReader`.
*/
class YamlReader extends RefType {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps rename it to YamlBeansReader to make it clear that this class belongs to this library when reading UnsafeDeserialization files

java/ql/src/semmle/code/java/frameworks/JsonIo.qll Outdated
/**
* The class `com.cedarsoftware.util.io.JsonReader`.
*/
class JsonReader extends RefType {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, please rename it to JsonIoJsonReader or alike

@haby0
Copy link
Contributor Author

haby0 commented May 14, 2021

@smowton Modified based on the suggestions of the two reviewers, please review again. Thank you.

@haby0 haby0 requested review from smowton and removed request for a team May 14, 2021 10:21
smowton
smowton reviewed May 14, 2021
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is targeting non-experimental, please add a change note

java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll Outdated
import java

/**
* The class `com.caucho.hessian.io.AbstractHessianInput` or `com.alibaba.com.caucho.hessian.io.Hessian2StreamingInput`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* The class `com.caucho.hessian.io.AbstractHessianInput` or `com.alibaba.com.caucho.hessian.io.Hessian2StreamingInput`.
* The classes `[com.alibaba.]com.caucho.hessian.io.AbstractHessianInput` or `[com.alibaba.]com.caucho.hessian.io.Hessian2StreamingInput`.

java/ql/src/semmle/code/java/frameworks/JYaml.qll Outdated
Comment on lines 15 to 16
* A JYaml unsafe load method. This is either `YAML.load` or
* `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* A JYaml unsafe load method. This is either `YAML.load` or
* `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
* A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.

java/ql/src/semmle/code/java/frameworks/JYaml.qll Outdated
* The class `org.ho.yaml.Yaml`.
*/
class JYaml extends RefType {
JYaml() { this.hasQualifiedName("org.ho.yaml", "Yaml") }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
JYaml() { this.hasQualifiedName("org.ho.yaml", "Yaml") }
JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }

java/ql/src/semmle/code/java/frameworks/JYaml.qll Outdated
Comment on lines 24 to 41

/**
* The class `org.ho.yaml.YamlConfig`.
*/
class JYamlConfig extends RefType {
JYamlConfig() { this.hasQualifiedName("org.ho.yaml", "YamlConfig") }
}

/**
* A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
* `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
*/
class JYamlConfigUnsafeLoadMethod extends Method {
JYamlConfigUnsafeLoadMethod() {
this.getDeclaringType() instanceof JYamlConfig and
this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/**
* The class `org.ho.yaml.YamlConfig`.
*/
class JYamlConfig extends RefType {
JYamlConfig() { this.hasQualifiedName("org.ho.yaml", "YamlConfig") }
}
/**
* A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
* `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
*/
class JYamlConfigUnsafeLoadMethod extends Method {
JYamlConfigUnsafeLoadMethod() {
this.getDeclaringType() instanceof JYamlConfig and
this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
}
}

java/ql/src/semmle/code/java/frameworks/JsonIo.qll Outdated
/**
* A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
*/
class JsonIoSafeOptionalArgs extends MethodAccess {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class JsonIoSafeOptionalArgs extends MethodAccess {
class JsonIoUseMapsSetter extends MethodAccess {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^^

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll Outdated
Comment on lines 92 to 94
or
ma.getMethod() instanceof JYamlConfigUnsafeLoadMethod and
sink = ma.getArgument(0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
or
ma.getMethod() instanceof JYamlConfigUnsafeLoadMethod and
sink = ma.getArgument(0)

@haby0 haby0 requested a review from smowton May 17, 2021 08:23
smowton
smowton reviewed May 17, 2021
View reviewed changes
java/ql/src/semmle/code/java/frameworks/JsonIo.qll Outdated
/**
* A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
*/
class JsonIoSafeOptionalArgs extends MethodAccess {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^^

@smowton
Copy link
Contributor

smowton commented May 17, 2021

Otherwise looks good to me; over to @aschackmull for final review.

Note you need to rebase to resolve the UnsafeDeserialization.expected conflict.

@haby0
Copy link
Contributor Author

haby0 commented May 18, 2021
edited
Loading

@smowton @pwntester Thanks for review.

@haby0
Copy link
Contributor Author

haby0 commented May 18, 2021

@aschackmull Please do the final review, thank you.

aschackmull
aschackmull reviewed Jun 15, 2021
View reviewed changes
java/ql/src/semmle/code/java/frameworks/Castor.qll Outdated
}

/** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
class UnmarshalMethod extends Method {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This name is a little too generic, let's include Castor in the name:

Suggested change
class UnmarshalMethod extends Method {
class CastorUnmarshalMethod extends Method {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made a change.

aschackmull
aschackmull reviewed Jun 15, 2021
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor comment, otherwise just needs a rebase to resolve the conflict. LGTM.

@haby0 haby0 requested a review from aschackmull June 16, 2021 05:30
@aschackmull
Copy link
Contributor

Still needs a rebase to resolve the conflict in java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected

@haby0
Copy link
Contributor Author

haby0 commented Jun 16, 2021

Still needs a rebase to resolve the conflict in java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected

Can you review it again?

@aschackmull
Copy link
Contributor

The expected output of java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref needs to be updated. I'm assume that the merge conflict resolved cleanly, but it looks like there essentially was a semantic merge conflict (some of the modelled steps changed slightly, resulting in a different data flow graph).

@haby0
Copy link
Contributor Author

haby0 commented Jun 17, 2021

The expected output of java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref needs to be updated. I'm assume that the merge conflict resolved cleanly, but it looks like there essentially was a semantic merge conflict (some of the modelled steps changed slightly, resulting in a different data flow graph).

You try again.

@haby0
Copy link
Contributor Author

haby0 commented Jun 17, 2021

It is strange that there is no file conflict reported this time, did I do something wrong...

@aschackmull
Copy link
Contributor

That fix looks incorrect to me. I guess you're testing against the merge base rather than current main?
This was the reported error:

--- expected
+++ actual
@@ -61,13 +61,25 @@
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r |
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r |
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:61:55:61:59 | bytes : byte[] |
 | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput |
 | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:63:3:63:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:64:3:64:14 | hessianInput |
+| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:70:55:70:59 | bytes : byte[] |
 | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput |
 | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:72:3:72:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:73:3:73:14 | hessianInput |
+| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
 | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:85:54:85:67 | serializedData : byte[] |
 | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput |
 | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:87:3:87:13 | burlapInput |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
@@ -148,14 +160,20 @@
 | C.java:54:3:54:3 | r | semmle.label | r |
 | C.java:55:3:55:3 | r | semmle.label | r |
 | C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:61:55:61:59 | bytes : byte[] | semmle.label | bytes : byte[] |
 | C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput |
 | C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput |
 | C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:70:55:70:59 | bytes : byte[] | semmle.label | bytes : byte[] |
 | C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput |
 | C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput |
 | C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) |
 | C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] |
 | C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
 | C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
Error: [8/8] [71/111 comp 23.4s eval 3.9s] FAILED(RESULT) /home/runner/work/semmle-code/semmle-code/ql/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref

@haby0
Copy link
Contributor Author

haby0 commented Jun 17, 2021

That fix looks incorrect to me. I guess you're testing against the merge base rather than current main?
This was the reported error:

--- expected
+++ actual
@@ -61,13 +61,25 @@
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r |
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r |
 | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:61:55:61:59 | bytes : byte[] |
 | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput |
 | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:63:3:63:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:64:3:64:14 | hessianInput |
+| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:70:55:70:59 | bytes : byte[] |
 | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput |
 | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:72:3:72:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:73:3:73:14 | hessianInput |
+| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
 | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:85:54:85:67 | serializedData : byte[] |
 | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput |
 | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:87:3:87:13 | burlapInput |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
@@ -148,14 +160,20 @@
 | C.java:54:3:54:3 | r | semmle.label | r |
 | C.java:55:3:55:3 | r | semmle.label | r |
 | C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:61:55:61:59 | bytes : byte[] | semmle.label | bytes : byte[] |
 | C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput |
 | C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput |
 | C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:70:55:70:59 | bytes : byte[] | semmle.label | bytes : byte[] |
 | C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput |
 | C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput |
 | C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) |
 | C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] |
 | C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
 | C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
Error: [8/8] [71/111 comp 23.4s eval 3.9s] FAILED(RESULT) /home/runner/work/semmle-code/semmle-code/ql/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref

There is no InputStream in the results of my analysis.

--- expected
+++ actual
@@ -1,74 +1,60 @@
 edges
-| A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:14:50:14:60 | inputStream : InputStream |
 | A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:15:12:15:13 | in |
-| A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:15:12:15:13 | in |
-| A.java:14:50:14:60 | inputStream : InputStream | A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream |
-| A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:20:50:20:60 | inputStream : InputStream |
 | A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:21:12:21:13 | in |
-| A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:21:12:21:13 | in |
-| A.java:20:50:20:60 | inputStream : InputStream | A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream |
-| A.java:25:31:25:51 | getInputStream(...) : InputStream | A.java:26:35:26:45 | inputStream : InputStream |
-| A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder | A.java:27:12:27:12 | d |
-| A.java:26:35:26:45 | inputStream : InputStream | A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder |
-| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:33:43:33:53 | inputStream : InputStream |
-| A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader | A.java:34:23:34:28 | reader |
-| A.java:33:43:33:53 | inputStream : InputStream | A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader |
-| A.java:39:19:39:50 | new Input(...) : Input | A.java:40:28:40:32 | input |
-| A.java:39:19:39:50 | new Input(...) : Input | A.java:41:34:41:38 | input |
-| A.java:39:19:39:50 | new Input(...) : Input | A.java:42:40:42:44 | input |
-| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:39:19:39:50 | new Input(...) : Input |
+| A.java:25:31:25:51 | getInputStream(...) : InputStream | A.java:27:12:27:12 | d |
+| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:34:23:34:28 | reader |
+| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:40:28:40:32 | input |
+| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:41:34:41:38 | input |
+| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:42:40:42:44 | input |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:61:26:61:30 | input |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:62:30:62:34 | input |
-| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:63:50:63:54 | input : InputStream |
+| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:63:28:63:55 | new InputStreamReader(...) |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:64:24:64:28 | input |
-| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:65:46:65:50 | input : InputStream |
-| A.java:63:50:63:54 | input : InputStream | A.java:63:28:63:55 | new InputStreamReader(...) |
-| A.java:65:46:65:50 | input : InputStream | A.java:65:24:65:51 | new InputStreamReader(...) |
+| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:65:24:65:51 | new InputStreamReader(...) |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:71:26:71:30 | input |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:72:30:72:34 | input |
-| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:50:73:54 | input : InputStream |
+| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input |
-| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:46:75:50 | input : InputStream |
-| A.java:73:50:73:54 | input : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
-| A.java:75:46:75:50 | input : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
+| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input |
-| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:50:93:54 | input : InputStream |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input |
-| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:46:95:50 | input : InputStream |
-| A.java:93:50:93:54 | input : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) |
-| A.java:95:46:95:50 | input : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream |
-| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:14:5:14:15 | inputStream : InputStream |
-| B.java:14:5:14:15 | inputStream : InputStream | B.java:14:22:14:26 | bytes [post update] : byte[] |
-| B.java:14:22:14:26 | bytes [post update] : byte[] | B.java:15:23:15:27 | bytes |
-| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:21:5:21:15 | inputStream : InputStream |
-| B.java:21:5:21:15 | inputStream : InputStream | B.java:21:22:21:26 | bytes [post update] : byte[] |
-| B.java:21:22:21:26 | bytes [post update] : byte[] | B.java:23:29:23:29 | s |
-| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream |
-| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] |
-| B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:31:23:31:23 | s |
+| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes |
+| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s |
+| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput |
+| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
-| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
-| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 nodes
 | A.java:13:31:13:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
-| A.java:14:50:14:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:15:12:15:13 | in | semmle.label | in |
 | A.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
-| A.java:20:50:20:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:21:12:21:13 | in | semmle.label | in |
 | A.java:25:31:25:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
-| A.java:26:35:26:45 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:27:12:27:12 | d | semmle.label | d |
 | A.java:32:31:32:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
-| A.java:33:43:33:53 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:34:23:34:28 | reader | semmle.label | reader |
-| A.java:39:19:39:50 | new Input(...) : Input | semmle.label | new Input(...) : Input |
 | A.java:39:29:39:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:40:28:40:32 | input | semmle.label | input |
 | A.java:41:34:41:38 | input | semmle.label | input |
@@ -77,43 +63,57 @@
 | A.java:61:26:61:30 | input | semmle.label | input |
 | A.java:62:30:62:34 | input | semmle.label | input |
 | A.java:63:28:63:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:63:50:63:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:64:24:64:28 | input | semmle.label | input |
 | A.java:65:24:65:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:65:46:65:50 | input : InputStream | semmle.label | input : InputStream |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:71:26:71:30 | input | semmle.label | input |
 | A.java:72:30:72:34 | input | semmle.label | input |
 | A.java:73:28:73:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:73:50:73:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:74:24:74:28 | input | semmle.label | input |
 | A.java:75:24:75:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:75:46:75:50 | input : InputStream | semmle.label | input : InputStream |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:91:26:91:30 | input | semmle.label | input |
 | A.java:92:30:92:34 | input | semmle.label | input |
 | A.java:93:28:93:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:93:50:93:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:94:24:94:28 | input | semmle.label | input |
 | A.java:95:24:95:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
-| A.java:95:46:95:50 | input : InputStream | semmle.label | input : InputStream |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
 | B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| B.java:14:5:14:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
-| B.java:14:22:14:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:15:23:15:27 | bytes | semmle.label | bytes |
 | B.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| B.java:21:5:21:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
-| B.java:21:22:21:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:23:29:23:29 | s | semmle.label | s |
 | B.java:27:31:27:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
-| B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:31:23:31:23 | s | semmle.label | s |
+| C.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:24:13:24:16 | data | semmle.label | data |
+| C.java:25:19:25:22 | data | semmle.label | data |
+| C.java:26:25:26:28 | data | semmle.label | data |
+| C.java:27:17:27:20 | data | semmle.label | data |
+| C.java:30:19:30:22 | data | semmle.label | data |
+| C.java:31:25:31:28 | data | semmle.label | data |
+| C.java:32:31:32:34 | data | semmle.label | data |
+| C.java:33:23:33:26 | data | semmle.label | data |
+| C.java:38:17:38:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:43:25:43:28 | data | semmle.label | data |
+| C.java:46:3:46:4 | jr | semmle.label | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:53:3:53:3 | r | semmle.label | r |
+| C.java:54:3:54:3 | r | semmle.label | r |
+| C.java:55:3:55:3 | r | semmle.label | r |
+| C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput |
+| C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput |
+| C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput |
+| C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) |
+| C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
+| C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
-| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 #select
 | A.java:15:12:15:26 | readObject(...) | A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:15:12:15:13 | in | Unsafe deserialization of $@. | A.java:13:31:13:51 | getInputStream(...) | user input |
 | A.java:21:12:21:28 | readUnshared(...) | A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:21:12:21:13 | in | Unsafe deserialization of $@. | A.java:19:31:19:51 | getInputStream(...) | user input |
@@ -141,4 +141,24 @@
 | B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
 | B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
 | B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
+| C.java:24:3:24:17 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:25:3:25:23 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:26:3:26:43 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:27:3:27:35 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:30:3:30:23 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:31:3:31:29 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:32:3:32:49 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:33:3:33:41 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:43:3:43:29 | jsonToJava(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:46:3:46:17 | readObject(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:53:3:53:10 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:54:3:54:22 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:55:3:55:36 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:63:3:63:27 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:64:3:64:39 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:72:3:72:27 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:73:3:73:39 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization of $@. | C.java:79:43:79:70 | getParameter(...) | user input |
+| C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
+| C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
 | TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |

@aschackmull
Copy link
Contributor

The test is still failing. You likely forgot to pull latest main when you merged main into your branch. Please fix the test.

@haby0
Copy link
Contributor Author

haby0 commented Jun 17, 2021

The test is still failing. You likely forgot to pull latest main when you merged main into your branch. Please fix the test.

Please review again.

@haby0 haby0 closed this Jun 17, 2021
@haby0 haby0 reopened this Jun 17, 2021
@aschackmull aschackmull merged commit 6ca8d69 into github:main Jun 17, 2021
@haby0
Copy link
Contributor Author

haby0 commented Jun 17, 2021

@aschackmull Thank you.

@haby0 haby0 deleted the java/UnsafeDeserialization branch June 17, 2021 10:50
@haby0 haby0 mentioned this pull request Aug 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton left review comments

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@pwntester pwntester pwntester left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@aschackmull aschackmull

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@haby0 @smowton @aschackmull @pwntester