Minor improvements for Jackson in UnsafeDeserialization.qll

artem-smotrakov · artem-smotrakov · commit 2b16a8e19c70 · 2021-05-24T11:57:31.000+02:00
diff --git a/java/change-notes/2021-05-17-jackson-deserialization-sink.md b/java/change-notes/2021-05-17-jackson-deserialization-sink.md
@@ -1,4 +1,3 @@
 lgtm,codescanning
 * The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
   now recognizes `Jackson` deserialization.
-
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -20,57 +20,57 @@ class XMLDecoderReadObjectMethod extends Method {
   }
 }
 
-class ObjectMapperReadMethod extends Method {
+private class ObjectMapperReadMethod extends Method {
   ObjectMapperReadMethod() {
     this.getDeclaringType() instanceof ObjectMapper and
     this.hasName(["readValue", "readValues", "treeToValue"])
   }
 }
 
-class ObjectMapper extends RefType {
+private class ObjectMapper extends RefType {
   ObjectMapper() {
     getASupertype*().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper")
   }
 }
 
-class MapperBuilder extends RefType {
+private class MapperBuilder extends RefType {
   MapperBuilder() {
     hasQualifiedName("com.fasterxml.jackson.databind.cfg", "MapperBuilder<JsonMapper,Builder>")
   }
 }
 
-class JsonFactory extends RefType {
+private class JsonFactory extends RefType {
   JsonFactory() { hasQualifiedName("com.fasterxml.jackson.core", "JsonFactory") }
 }
 
-class JsonParser extends RefType {
+private class JsonParser extends RefType {
   JsonParser() { hasQualifiedName("com.fasterxml.jackson.core", "JsonParser") }
 }
 
-class JacksonType extends RefType {
-  JacksonType() {
+private class JacksonTypeDescriptorType extends RefType {
+  JacksonTypeDescriptorType() {
     this instanceof TypeClass or
     hasQualifiedName("com.fasterxml.jackson.databind", "JavaType") or
     hasQualifiedName("com.fasterxml.jackson.core.type", "TypeReference")
   }
 }
 
-class EnableJacksonDefaultTyping extends MethodAccess {
+private class EnableJacksonDefaultTyping extends MethodAccess {
   EnableJacksonDefaultTyping() {
     this.getMethod().getDeclaringType() instanceof ObjectMapper and
     this.getMethod().hasName("enableDefaultTyping")
   }
 }
 
-class ObjectMapperReadSink extends DataFlow::ExprNode {
+private class ObjectMapperReadSink extends DataFlow::ExprNode {
   ObjectMapperReadSink() {
     exists(MethodAccess ma | ma.getQualifier() = this.asExpr() |
       ma.getMethod() instanceof ObjectMapperReadMethod
     )
   }
 }
 
-class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
+private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
   SetPolymorphicTypeValidatorSource() {
     exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
       (
@@ -176,8 +176,8 @@ class SafeKryo extends DataFlow2::Configuration {
   }
 }
 
-class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {
-  EnabledJacksonDefaultTyping() { this = "EnabledJacksonDefaultTyping" }
+private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {
+  EnableJacksonDefaultTypingConfig() { this = "EnableJacksonDefaultTypingConfig" }
 
   override predicate isSource(DataFlow::Node src) {
     any(EnableJacksonDefaultTyping ma).getQualifier() = src.asExpr()
@@ -186,8 +186,8 @@ class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadSink }
 }
 
-class SafeObjectMapper extends DataFlow2::Configuration {
-  SafeObjectMapper() { this = "SafeObjectMapper" }
+private class SafeObjectMapperConfig extends DataFlow2::Configuration {
+  SafeObjectMapperConfig() { this = "SafeObjectMapperConfig" }
 
   override predicate isSource(DataFlow::Node src) {
     src instanceof SetPolymorphicTypeValidatorSource
@@ -200,27 +200,27 @@ class SafeObjectMapper extends DataFlow2::Configuration {
    * that configures or creates an `ObjectMapper` via a builder.
    */
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
       m.getDeclaringType() instanceof MapperBuilder and
       m.getReturnType()
           .(RefType)
           .hasQualifiedName("com.fasterxml.jackson.databind.json",
             ["JsonMapper$Builder", "JsonMapper"]) and
-      fromNode.asExpr() = q and
+      fromNode.asExpr() = ma.getQualifier() and
       ma = toNode.asExpr()
     )
   }
 }
 
-class UnsafeType extends TaintTracking2::Configuration {
-  UnsafeType() { this = "UnsafeType" }
+private class UnsafeTypeConfig extends TaintTracking2::Configuration {
+  UnsafeTypeConfig() { this = "UnsafeTypeConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma, int i, Expr arg | i > 0 and ma.getArgument(i) = arg |
       ma.getMethod() instanceof ObjectMapperReadMethod and
-      arg.getType() instanceof JacksonType and
+      arg.getType() instanceof JacksonTypeDescriptorType and
       arg = sink.asExpr()
     )
   }
@@ -230,7 +230,7 @@ class UnsafeType extends TaintTracking2::Configuration {
    */
   override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     exists(MethodAccess ma, RefType returnType | returnType = ma.getMethod().getReturnType() |
-      returnType instanceof JacksonType and
+      returnType instanceof JacksonTypeDescriptorType and
       ma.getAnArgument() = fromNode.asExpr() and
       ma = toNode.asExpr()
     )
@@ -272,7 +272,7 @@ predicate createJacksonTreeNodeStep(DataFlow::Node fromNode, DataFlow::Node toNo
  * Holds if `type` or one of its supertypes has a field with `JsonTypeInfo` annotation
  * that enables polymorphic type handling.
  */
-predicate hasJsonTypeInfoAnnotation(RefType type) {
+private predicate hasJsonTypeInfoAnnotation(RefType type) {
   hasFieldWithJsonTypeAnnotation(type.getASupertype*()) or
   hasFieldWithJsonTypeAnnotation(type.getAField().getType())
 }
@@ -281,7 +281,7 @@ predicate hasJsonTypeInfoAnnotation(RefType type) {
  * Holds if `type` has a field with `JsonTypeInfo` annotation
  * that enables polymorphic type handling.
  */
-predicate hasFieldWithJsonTypeAnnotation(RefType type) {
+private predicate hasFieldWithJsonTypeAnnotation(RefType type) {
   exists(Annotation a |
     type.getAField().getAnAnnotation() = a and
     a.getType().hasQualifiedName("com.fasterxml.jackson.annotation", "JsonTypeInfo") and
@@ -324,15 +324,15 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     ma.getMethod() instanceof ObjectMapperReadMethod and
     sink = ma.getArgument(0) and
     (
-      exists(UnsafeType config | config.hasFlowToExpr(ma.getAnArgument()))
+      exists(UnsafeTypeConfig config | config.hasFlowToExpr(ma.getAnArgument()))
       or
-      exists(EnabledJacksonDefaultTyping config | config.hasFlowToExpr(ma.getQualifier()))
+      exists(EnableJacksonDefaultTypingConfig config | config.hasFlowToExpr(ma.getQualifier()))
       or
       exists(RefType argType, int i | i > 0 and argType = ma.getArgument(i).getType() |
         hasJsonTypeInfoAnnotation(argType.(ParameterizedType).getATypeArgument())
       )
     ) and
-    not exists(SafeObjectMapper config | config.hasFlowToExpr(ma.getQualifier()))
+    not exists(SafeObjectMapperConfig config | config.hasFlowToExpr(ma.getQualifier()))
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -20,57 +20,57 @@ class XMLDecoderReadObjectMethod extends Method {`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`
`23`		`-class ObjectMapperReadMethod extends Method {`
	`23`	`+private class ObjectMapperReadMethod extends Method {`
`24`	`24`	`ObjectMapperReadMethod() {`
`25`	`25`	`this.getDeclaringType() instanceof ObjectMapper and`
`26`	`26`	`this.hasName(["readValue", "readValues", "treeToValue"])`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
`30`		`-class ObjectMapper extends RefType {`
	`30`	`+private class ObjectMapper extends RefType {`
`31`	`31`	`ObjectMapper() {`
`32`	`32`	`getASupertype*().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper")`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`
`36`		`-class MapperBuilder extends RefType {`
	`36`	`+private class MapperBuilder extends RefType {`
`37`	`37`	`MapperBuilder() {`
`38`	`38`	`hasQualifiedName("com.fasterxml.jackson.databind.cfg", "MapperBuilder<JsonMapper,Builder>")`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`		`-class JsonFactory extends RefType {`
	`42`	`+private class JsonFactory extends RefType {`
`43`	`43`	`JsonFactory() { hasQualifiedName("com.fasterxml.jackson.core", "JsonFactory") }`
`44`	`44`	`}`
`45`	`45`
`46`		`-class JsonParser extends RefType {`
	`46`	`+private class JsonParser extends RefType {`
`47`	`47`	`JsonParser() { hasQualifiedName("com.fasterxml.jackson.core", "JsonParser") }`
`48`	`48`	`}`
`49`	`49`
`50`		`-class JacksonType extends RefType {`
`51`		`- JacksonType() {`
	`50`	`+private class JacksonTypeDescriptorType extends RefType {`
	`51`	`+ JacksonTypeDescriptorType() {`
`52`	`52`	`this instanceof TypeClass or`
`53`	`53`	`hasQualifiedName("com.fasterxml.jackson.databind", "JavaType") or`
`54`	`54`	`hasQualifiedName("com.fasterxml.jackson.core.type", "TypeReference")`
`55`	`55`	`}`
`56`	`56`	`}`
`57`	`57`
`58`		`-class EnableJacksonDefaultTyping extends MethodAccess {`
	`58`	`+private class EnableJacksonDefaultTyping extends MethodAccess {`
`59`	`59`	`EnableJacksonDefaultTyping() {`
`60`	`60`	`this.getMethod().getDeclaringType() instanceof ObjectMapper and`
`61`	`61`	`this.getMethod().hasName("enableDefaultTyping")`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`		`-class ObjectMapperReadSink extends DataFlow::ExprNode {`
	`65`	`+private class ObjectMapperReadSink extends DataFlow::ExprNode {`
`66`	`66`	`ObjectMapperReadSink() {`
`67`	`67`	`exists(MethodAccess ma \| ma.getQualifier() = this.asExpr() \|`
`68`	`68`	`ma.getMethod() instanceof ObjectMapperReadMethod`
`69`	`69`	`)`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`
`73`		`-class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {`
	`73`	`+private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {`
`74`	`74`	`SetPolymorphicTypeValidatorSource() {`
`75`	`75`	`exists(MethodAccess ma, Method m, Expr q \| m = ma.getMethod() and q = ma.getQualifier() \|`
`76`	`76`	`(`
`@@ -176,8 +176,8 @@ class SafeKryo extends DataFlow2::Configuration {`
`176`	`176`	`}`
`177`	`177`	`}`
`178`	`178`
`179`		`-class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {`
`180`		`- EnabledJacksonDefaultTyping() { this = "EnabledJacksonDefaultTyping" }`
	`179`	`+private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {`
	`180`	`+ EnableJacksonDefaultTypingConfig() { this = "EnableJacksonDefaultTypingConfig" }`
`181`	`181`
`182`	`182`	`override predicate isSource(DataFlow::Node src) {`
`183`	`183`	`any(EnableJacksonDefaultTyping ma).getQualifier() = src.asExpr()`
`@@ -186,8 +186,8 @@ class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {`
`186`	`186`	`override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadSink }`
`187`	`187`	`}`
`188`	`188`
`189`		`-class SafeObjectMapper extends DataFlow2::Configuration {`
`190`		`- SafeObjectMapper() { this = "SafeObjectMapper" }`
	`189`	`+private class SafeObjectMapperConfig extends DataFlow2::Configuration {`
	`190`	`+ SafeObjectMapperConfig() { this = "SafeObjectMapperConfig" }`
`191`	`191`
`192`	`192`	`override predicate isSource(DataFlow::Node src) {`
`193`	`193`	`src instanceof SetPolymorphicTypeValidatorSource`
`@@ -200,27 +200,27 @@ class SafeObjectMapper extends DataFlow2::Configuration {`
`200`	`200`	* that configures or creates an `ObjectMapper` via a builder.
`201`	`201`	`*/`
`202`	`202`	`override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {`
`203`		`- exists(MethodAccess ma, Method m, Expr q \| m = ma.getMethod() and q = ma.getQualifier() \|`
	`203`	`+ exists(MethodAccess ma, Method m \| m = ma.getMethod() \|`
`204`	`204`	`m.getDeclaringType() instanceof MapperBuilder and`
`205`	`205`	`m.getReturnType()`
`206`	`206`	`.(RefType)`
`207`	`207`	`.hasQualifiedName("com.fasterxml.jackson.databind.json",`
`208`	`208`	`["JsonMapper$Builder", "JsonMapper"]) and`
`209`		`- fromNode.asExpr() = q and`
	`209`	`+ fromNode.asExpr() = ma.getQualifier() and`
`210`	`210`	`ma = toNode.asExpr()`
`211`	`211`	`)`
`212`	`212`	`}`
`213`	`213`	`}`
`214`	`214`
`215`		`-class UnsafeType extends TaintTracking2::Configuration {`
`216`		`- UnsafeType() { this = "UnsafeType" }`
	`215`	`+private class UnsafeTypeConfig extends TaintTracking2::Configuration {`
	`216`	`+ UnsafeTypeConfig() { this = "UnsafeTypeConfig" }`
`217`	`217`
`218`	`218`	`override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }`
`219`	`219`
`220`	`220`	`override predicate isSink(DataFlow::Node sink) {`
`221`	`221`	`exists(MethodAccess ma, int i, Expr arg \| i > 0 and ma.getArgument(i) = arg \|`
`222`	`222`	`ma.getMethod() instanceof ObjectMapperReadMethod and`
`223`		`- arg.getType() instanceof JacksonType and`
	`223`	`+ arg.getType() instanceof JacksonTypeDescriptorType and`
`224`	`224`	`arg = sink.asExpr()`
`225`	`225`	`)`
`226`	`226`	`}`
`@@ -230,7 +230,7 @@ class UnsafeType extends TaintTracking2::Configuration {`
`230`	`230`	`*/`
`231`	`231`	`override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {`
`232`	`232`	`exists(MethodAccess ma, RefType returnType \| returnType = ma.getMethod().getReturnType() \|`
`233`		`- returnType instanceof JacksonType and`
	`233`	`+ returnType instanceof JacksonTypeDescriptorType and`
`234`	`234`	`ma.getAnArgument() = fromNode.asExpr() and`
`235`	`235`	`ma = toNode.asExpr()`
`236`	`236`	`)`
`@@ -272,7 +272,7 @@ predicate createJacksonTreeNodeStep(DataFlow::Node fromNode, DataFlow::Node toNo`
`272`	`272`	* Holds if `type` or one of its supertypes has a field with `JsonTypeInfo` annotation
`273`	`273`	`* that enables polymorphic type handling.`
`274`	`274`	`*/`
`275`		`-predicate hasJsonTypeInfoAnnotation(RefType type) {`
	`275`	`+private predicate hasJsonTypeInfoAnnotation(RefType type) {`
`276`	`276`	`hasFieldWithJsonTypeAnnotation(type.getASupertype*()) or`
`277`	`277`	`hasFieldWithJsonTypeAnnotation(type.getAField().getType())`
`278`	`278`	`}`
`@@ -281,7 +281,7 @@ predicate hasJsonTypeInfoAnnotation(RefType type) {`
`281`	`281`	* Holds if `type` has a field with `JsonTypeInfo` annotation
`282`	`282`	`* that enables polymorphic type handling.`
`283`	`283`	`*/`
`284`		`-predicate hasFieldWithJsonTypeAnnotation(RefType type) {`
	`284`	`+private predicate hasFieldWithJsonTypeAnnotation(RefType type) {`
`285`	`285`	`exists(Annotation a \|`
`286`	`286`	`type.getAField().getAnAnnotation() = a and`
`287`	`287`	`a.getType().hasQualifiedName("com.fasterxml.jackson.annotation", "JsonTypeInfo") and`
`@@ -324,15 +324,15 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {`
`324`	`324`	`ma.getMethod() instanceof ObjectMapperReadMethod and`
`325`	`325`	`sink = ma.getArgument(0) and`
`326`	`326`	`(`
`327`		`- exists(UnsafeType config \| config.hasFlowToExpr(ma.getAnArgument()))`
	`327`	`+ exists(UnsafeTypeConfig config \| config.hasFlowToExpr(ma.getAnArgument()))`
`328`	`328`	`or`
`329`		`- exists(EnabledJacksonDefaultTyping config \| config.hasFlowToExpr(ma.getQualifier()))`
	`329`	`+ exists(EnableJacksonDefaultTypingConfig config \| config.hasFlowToExpr(ma.getQualifier()))`
`330`	`330`	`or`
`331`	`331`	`exists(RefType argType, int i \| i > 0 and argType = ma.getArgument(i).getType() \|`
`332`	`332`	`hasJsonTypeInfoAnnotation(argType.(ParameterizedType).getATypeArgument())`
`333`	`333`	`)`
`334`	`334`	`) and`
`335`		`- not exists(SafeObjectMapper config \| config.hasFlowToExpr(ma.getQualifier()))`
	`335`	`+ not exists(SafeObjectMapperConfig config \| config.hasFlowToExpr(ma.getQualifier()))`
`336`	`336`	`)`
`337`	`337`	`}`
`338`	`338`