Added tests for UnsafeDeserialization.ql and Jackson

Author: artem-smotrakov

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll

@@ -269,11 +269,19 @@ predicate createJacksonTreeNodeStep(DataFlow::Node fromNode, DataFlow::Node toNo
   )
 }
 
+/**
+ * Holds if `type` or one of its supertypes has a field with `JsonTypeInfo` annotation
+ * that enables polymorphic type handling.
+ */
 predicate hasJsonTypeInfoAnnotation(RefType type) {
   hasFieldWithJsonTypeAnnotation(type.getASupertype*()) or
   hasFieldWithJsonTypeAnnotation(type.getAField().getType())
 }
 
+/**
+ * Holds if `type` has a field with `JsonTypeInfo` annotation
+ * that enables polymorphic type handling.
+ */
 predicate hasFieldWithJsonTypeAnnotation(RefType type) {
   exists(Annotation a |
     type.getAField().getAnAnnotation() = a and

java/ql/test/query-tests/security/CWE-502/JacksonTest.java

@@ -0,0 +1,193 @@
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
+import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
+import java.io.IOException;
+import java.io.Serializable;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.List;
+
+public class JacksonTest {
+
+    public static void withSocket(Action<String> action) throws Exception {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String jexlExpr = new String(bytes, 0, n);
+                action.run(jexlExpr);
+            }
+        }
+    }
+}
+
+interface Action<T> {
+    void run(T object) throws Exception;
+}
+
+abstract class PhoneNumber implements Serializable {
+    public int areaCode;
+    public int local;
+}
+
+class DomesticNumber extends PhoneNumber {
+}
+
+class InternationalNumber extends PhoneNumber {
+    public int countryCode;
+}
+
+class Employee extends Person {
+}
+
+class Person {
+    public String name;
+    public int age;
+
+    // this annotation enables polymorphic type handling
+    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+    public Object phone;
+}
+
+class Task {
+    public Person assignee;
+}
+
+class Tag implements Serializable {
+    public String title;
+}
+
+class Cat {
+    public String name;
+    public Serializable tag;
+}
+
+class UnsafePersonDeserialization {
+
+    // BAD: Person has a field with an annotation that enables polymorphic type
+    //      handling
+    private static void testUnsafeDeserialization() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.readValue(string, Person.class);
+        });
+    }
+
+    // BAD: Employee extends Person that has a field with an annotation that enables
+    //      polymorphic type handling
+    private static void testUnsafeDeserializationWithExtendedClass() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.readValue(string, Employee.class);
+        });
+    }
+
+    // BAD: Task has a Person field that has a field with an annotation that enables
+    //      polymorphic type handling
+    private static void testUnsafeDeserializationWithWrapper() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.readValue(string, Task.class);
+        });
+    }
+}
+
+class SaferPersonDeserialization {
+
+    // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper
+    //       has a validator
+    private static void testSafeDeserializationWithValidator() throws Exception {
+        JacksonTest.withSocket(string -> {
+            PolymorphicTypeValidator ptv = 
+                    BasicPolymorphicTypeValidator.builder()
+                            .allowIfSubType("only.allowed.package")
+                            .build();
+
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.setPolymorphicTypeValidator(ptv);
+
+            mapper.readValue(string, Person.class);
+        });
+    }
+
+    // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper
+    //       has a validator
+    private static void testSafeDeserializationWithValidatorAndBuilder() throws Exception {
+        JacksonTest.withSocket(string -> {
+            PolymorphicTypeValidator ptv = 
+                    BasicPolymorphicTypeValidator.builder()
+                            .allowIfSubType("only.allowed.package")
+                            .build();
+
+            ObjectMapper mapper = JsonMapper.builder()
+                    .polymorphicTypeValidator(ptv)
+                    .build();
+
+            mapper.readValue(string, Person.class);
+        });
+    }
+}
+
+class UnsafeCatDeserialization {
+
+    // BAD: deserializing untrusted input while polymorphic type handling is on
+    private static void testUnsafeDeserialization() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.enableDefaultTyping();   // this enables polymorphic type handling
+            mapper.readValue(string, Cat.class);
+        });
+    }
+
+    // BAD: deserializing untrusted input while polymorphic type handling is on
+    private static void testUnsafeDeserializationWithObjectMapperReadValues() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.enableDefaultTyping();
+            mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll();
+        });
+    }
+
+    // BAD: deserializing untrusted input while polymorphic type handling is on
+    private static void testUnsafeDeserializationWithObjectMapperTreeToValue() throws Exception {
+        JacksonTest.withSocket(string -> {
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.enableDefaultTyping();
+            mapper.treeToValue(mapper.readTree(string), Cat.class);
+        });
+    }
+
+    // BAD: an attacker can control both data and type of deserialized object
+    private static void testUnsafeDeserializationWithUnsafeClass() throws Exception {
+        JacksonTest.withSocket(input -> {
+            String[] parts = input.split(";");
+            String data = parts[0];
+            String type = parts[1];
+            Class clazz = Class.forName(type);
+            ObjectMapper mapper = new ObjectMapper();
+            mapper.readValue(data, clazz);
+        });
+    }
+}
+
+class SaferCatDeserialization {
+
+    // GOOD: Despite enabled polymorphic type handling, this is safe because ObjectMapper
+    //       has a validator
+    private static void testUnsafeDeserialization() throws Exception {
+        JacksonTest.withSocket(string -> {
+            PolymorphicTypeValidator ptv = 
+                BasicPolymorphicTypeValidator.builder()
+                        .allowIfSubType("only.allowed.pachage")
+                        .build();
+        
+            ObjectMapper mapper = JsonMapper.builder().polymorphicTypeValidator(ptv).build();
+            mapper.enableDefaultTyping(); // this enables polymorphic type handling
+
+            mapper.readValue(string, Cat.class);
+        });
+    }
+}

java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected

@@ -48,6 +48,22 @@ edges
 | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream |
 | B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] |
 | B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:31:23:31:23 | s |
+| JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] |
+| JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] | JacksonTest.java:21:28:21:35 | jexlExpr : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:73:32:73:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:82:32:82:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:91:32:91:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:138:32:138:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:147:32:147:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:156:32:156:37 | string : String |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | JacksonTest.java:165:32:165:36 | input : String |
+| JacksonTest.java:73:32:73:37 | string : String | JacksonTest.java:75:30:75:35 | string |
+| JacksonTest.java:82:32:82:37 | string : String | JacksonTest.java:84:30:84:35 | string |
+| JacksonTest.java:91:32:91:37 | string : String | JacksonTest.java:93:30:93:35 | string |
+| JacksonTest.java:138:32:138:37 | string : String | JacksonTest.java:141:30:141:35 | string |
+| JacksonTest.java:147:32:147:37 | string : String | JacksonTest.java:150:31:150:68 | createParser(...) |
+| JacksonTest.java:156:32:156:37 | string : String | JacksonTest.java:159:32:159:54 | readTree(...) |
+| JacksonTest.java:165:32:165:36 | input : String | JacksonTest.java:171:30:171:33 | data |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
@@ -111,6 +127,23 @@ nodes
 | B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:31:23:31:23 | s | semmle.label | s |
+| JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| JacksonTest.java:19:54:19:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| JacksonTest.java:21:28:21:35 | jexlExpr : String | semmle.label | jexlExpr : String |
+| JacksonTest.java:73:32:73:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:75:30:75:35 | string | semmle.label | string |
+| JacksonTest.java:82:32:82:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:84:30:84:35 | string | semmle.label | string |
+| JacksonTest.java:91:32:91:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:93:30:93:35 | string | semmle.label | string |
+| JacksonTest.java:138:32:138:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:141:30:141:35 | string | semmle.label | string |
+| JacksonTest.java:147:32:147:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:150:31:150:68 | createParser(...) | semmle.label | createParser(...) |
+| JacksonTest.java:156:32:156:37 | string : String | semmle.label | string : String |
+| JacksonTest.java:159:32:159:54 | readTree(...) | semmle.label | readTree(...) |
+| JacksonTest.java:165:32:165:36 | input : String | semmle.label | input : String |
+| JacksonTest.java:171:30:171:33 | data | semmle.label | data |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream |
@@ -141,4 +174,11 @@ nodes
 | B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
 | B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
 | B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
+| JacksonTest.java:75:13:75:50 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:75:30:75:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:84:13:84:52 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:84:30:84:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:93:13:93:48 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:93:30:93:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:141:13:141:47 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:141:30:141:35 | string | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:150:13:150:80 | readValues(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:150:31:150:68 | createParser(...) | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:159:13:159:66 | treeToValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:159:32:159:54 | readTree(...) | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
+| JacksonTest.java:171:13:171:41 | readValue(...) | JacksonTest.java:19:25:19:47 | getInputStream(...) : InputStream | JacksonTest.java:171:30:171:33 | data | Unsafe deserialization of $@. | JacksonTest.java:19:25:19:47 | getInputStream(...) | user input |
 | TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |

java/ql/test/query-tests/security/CWE-502/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/jackson-databind-2.10

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/annotation/JsonTypeInfo.java

@@ -0,0 +1,27 @@
+package com.fasterxml.jackson.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.ANNOTATION_TYPE, ElementType.TYPE, ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface JsonTypeInfo {
+    JsonTypeInfo.Id use();
+
+    public static enum Id {
+        CLASS("@class"),
+        MINIMAL_CLASS("@c");
+
+        private final String _defaultPropertyName;
+
+        private Id(String defProp) {
+            this._defaultPropertyName = defProp;
+        }
+
+        public String getDefaultPropertyName() {
+            return this._defaultPropertyName;
+        }
+    }
+}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonFactory.java

@@ -9,4 +9,8 @@ public JsonFactory() {
   public JsonGenerator createGenerator(Writer writer) {
     return new JsonGenerator();
   }
+
+  public JsonParser createParser(String content) {
+    return null;
+  }
 }

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/JsonParser.java

@@ -0,0 +1,3 @@
+package com.fasterxml.jackson.core;
+
+public abstract class JsonParser {}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/core/TreeNode.java

@@ -0,0 +1,3 @@
+package com.fasterxml.jackson.core;
+
+public interface TreeNode {}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java

@@ -1,6 +1,8 @@
 package com.fasterxml.jackson.databind;
 
-public class JsonNode {
+import com.fasterxml.jackson.core.TreeNode;
+
+public class JsonNode implements TreeNode {
     public JsonNode() {
     }
 }

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java

@@ -0,0 +1,11 @@
+package com.fasterxml.jackson.databind;
+
+import java.util.Iterator;
+import java.util.List;
+
+public class MappingIterator<T> implements Iterator<T> {
+    public boolean hasNext() { return false; }
+    public T next() { return null; }
+    public void remove() {}
+    public List<T> readAll() { return null; }
+}