Merge pull request #5900 from artem-smotrakov/unsafe-jackson-deserialization

Java: Unsafe deserialization with Jackson

Author: aschackmull

java/change-notes/2021-05-17-jackson-deserialization-sink.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `Jackson` deserialization.

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
-and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
+Jackson and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -91,6 +91,15 @@ Remote code execution in JYaml library:
 JsonIO deserialization vulnerabilities:
 <a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
 </li>
+<li>
+Research by Moritz Bechler:
+<a href="https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true">Java Unmarshaller Security - Turning your data into code execution</a>
+</li>
+<li>
+Blog posts by the developer of Jackson libraries:
+<a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
+<a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
+</li>
 </references>
 
 </qhelp>

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

@@ -12,51 +12,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.UnsafeDeserialization
+import semmle.code.java.security.UnsafeDeserializationQuery
 import DataFlow::PathGraph
 
-class UnsafeDeserializationConfig extends TaintTracking::Configuration {
-  UnsafeDeserializationConfig() { this = "UnsafeDeserializationConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(ClassInstanceExpr cie |
-      cie.getArgument(0) = pred.asExpr() and
-      cie = succ.asExpr() and
-      (
-        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
-        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
-        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
-        cie.getConstructor().getDeclaringType() instanceof BurlapInput
-      )
-    )
-    or
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof BurlapInputInitMethod and
-      ma.getArgument(0) = pred.asExpr() and
-      ma.getQualifier() = succ.asExpr()
-    )
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
-      cie = node.asExpr() and
-      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
-    )
-    or
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
-      ma.getArgument(0) = node.asExpr() and
-      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
-    )
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink,

java/ql/src/semmle/code/java/frameworks/Jackson.qll

@@ -0,0 +1,174 @@
+/**
+ * Provides classes and predicates for working with the Jackson serialization framework.
+ */
+
+import java
+private import semmle.code.java.Reflection
+private import semmle.code.java.dataflow.DataFlow
+
+private class ObjectMapper extends RefType {
+  ObjectMapper() {
+    getASupertype*().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper")
+  }
+}
+
+/** A builder for building Jackson's `JsonMapper`. */
+class MapperBuilder extends RefType {
+  MapperBuilder() {
+    hasQualifiedName("com.fasterxml.jackson.databind.cfg", "MapperBuilder<JsonMapper,Builder>")
+  }
+}
+
+private class JsonFactory extends RefType {
+  JsonFactory() { hasQualifiedName("com.fasterxml.jackson.core", "JsonFactory") }
+}
+
+private class JsonParser extends RefType {
+  JsonParser() { hasQualifiedName("com.fasterxml.jackson.core", "JsonParser") }
+}
+
+/** A type descriptor in Jackson libraries. For example, `java.lang.Class`. */
+class JacksonTypeDescriptorType extends RefType {
+  JacksonTypeDescriptorType() {
+    this instanceof TypeClass or
+    hasQualifiedName("com.fasterxml.jackson.databind", "JavaType") or
+    hasQualifiedName("com.fasterxml.jackson.core.type", "TypeReference")
+  }
+}
+
+/** A method in `ObjectMapper` that deserialize data. */
+class ObjectMapperReadMethod extends Method {
+  ObjectMapperReadMethod() {
+    this.getDeclaringType() instanceof ObjectMapper and
+    this.hasName(["readValue", "readValues", "treeToValue"])
+  }
+}
+
+/** A call that enables the default typing in `ObjectMapper`. */
+class EnableJacksonDefaultTyping extends MethodAccess {
+  EnableJacksonDefaultTyping() {
+    this.getMethod().getDeclaringType() instanceof ObjectMapper and
+    this.getMethod().hasName("enableDefaultTyping")
+  }
+}
+
+/** A qualifier of a call to one of the methods in `ObjectMapper` that deserialize data. */
+class ObjectMapperReadQualifier extends DataFlow::ExprNode {
+  ObjectMapperReadQualifier() {
+    exists(MethodAccess ma | ma.getQualifier() = this.asExpr() |
+      ma.getMethod() instanceof ObjectMapperReadMethod
+    )
+  }
+}
+
+/** A source that sets a type validator. */
+class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
+  SetPolymorphicTypeValidatorSource() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m.getDeclaringType() instanceof ObjectMapper and
+        m.hasName("setPolymorphicTypeValidator")
+        or
+        m.getDeclaringType() instanceof MapperBuilder and
+        m.hasName("polymorphicTypeValidator")
+      ) and
+      this.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/** Holds if `fromNode` to `toNode` is a dataflow step that resolves a class. */
+predicate resolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(ReflectiveClassIdentifierMethodAccess ma |
+    ma.getArgument(0) = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson parser.
+ *
+ * For example, a `createParser(userString)` call yields a `JsonParser`, which becomes dangerous
+ * if passed to an unsafely-configured `ObjectMapper`'s `readValue` method.
+ */
+predicate createJacksonJsonParserStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(MethodAccess ma, Method m | m = ma.getMethod() |
+    (m.getDeclaringType() instanceof ObjectMapper or m.getDeclaringType() instanceof JsonFactory) and
+    m.hasName("createParser") and
+    ma.getArgument(0) = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson `TreeNode`.
+ *
+ * These are parse trees of user-supplied JSON, which may lead to arbitrary code execution
+ * if passed to an unsafely-configured `ObjectMapper`'s `treeToValue` method.
+ */
+predicate createJacksonTreeNodeStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(MethodAccess ma, Method m | m = ma.getMethod() |
+    m.getDeclaringType() instanceof ObjectMapper and
+    m.hasName("readTree") and
+    ma.getArgument(0) = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+  or
+  exists(MethodAccess ma, Method m | m = ma.getMethod() |
+    m.getDeclaringType() instanceof JsonParser and
+    m.hasName("readValueAsTree") and
+    ma.getQualifier() = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
+
+/**
+ * Holds if `type` or one of its supertypes has a field with `JsonTypeInfo` annotation
+ * that enables polymorphic type handling.
+ */
+private predicate hasJsonTypeInfoAnnotation(RefType type) {
+  hasFieldWithJsonTypeAnnotation(type.getASupertype*()) or
+  hasJsonTypeInfoAnnotation(type.getAField().getType())
+}
+
+/**
+ * Holds if `type` has a field with `JsonTypeInfo` annotation
+ * that enables polymorphic type handling.
+ */
+private predicate hasFieldWithJsonTypeAnnotation(RefType type) {
+  exists(Annotation a |
+    type.getAField().getAnAnnotation() = a and
+    a.getType().hasQualifiedName("com.fasterxml.jackson.annotation", "JsonTypeInfo") and
+    a.getValue("use").(VarAccess).getVariable().hasName(["CLASS", "MINIMAL_CLASS"])
+  )
+}
+
+/**
+ * Holds if `call` is a method call to a Jackson deserialization method such as `ObjectMapper.readValue(String, Class)`,
+ * and the target deserialized class has a field with a `JsonTypeInfo` annotation that enables polymorphic typing.
+ */
+predicate hasArgumentWithUnsafeJacksonAnnotation(MethodAccess call) {
+  call.getMethod() instanceof ObjectMapperReadMethod and
+  exists(RefType argType, int i | i > 0 and argType = call.getArgument(i).getType() |
+    hasJsonTypeInfoAnnotation(argType.(ParameterizedType).getATypeArgument())
+  )
+}
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
+ * A method probably resolves a class if it takes a string, returns a type descriptor,
+ * and its name contains "resolve", "load", etc.
+ *
+ * Any method call that satisfies the rule above is assumed to propagate taint from its string arguments,
+ * so methods that accept user-controlled data but sanitize it or use it for some
+ * completely different purpose before returning a type descriptor could result in false positives.
+ */
+predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() |
+    m.getReturnType() instanceof JacksonTypeDescriptorType and
+    m.getName().toLowerCase().regexpMatch("(.*)(resolve|load|class|type)(.*)") and
+    arg.getType() instanceof TypeString and
+    arg = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}