Skip to content

Commit 42948c6

Browse files
committed
Update the query for Flexjson
1 parent 6a04776 commit 42948c6

File tree

4 files changed

+51
-9
lines changed

4 files changed

+51
-9
lines changed

java/ql/src/semmle/code/java/frameworks/Flexjson.qll

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,18 @@ class FlexjsonSerializer extends RefType {
1414
FlexjsonSerializer() { this.hasQualifiedName("flexjson", "JSONSerializer") }
1515
}
1616

17+
/** The class `flexjson.ObjectFactory`. */
18+
class FlexjsonObjectFactory extends RefType {
19+
FlexjsonObjectFactory() { this.hasQualifiedName("flexjson", "ObjectFactory") }
20+
}
21+
1722
/** The deserialization method `deserialize`. */
1823
class FlexjsonDeserializeMethod extends Method {
1924
FlexjsonDeserializeMethod() {
2025
this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
2126
FlexjsonDeserializer and
22-
this.getName() = ["deserialize", "deserializeInto"]
27+
this.getName() = "deserialize" and
28+
not this.getAParameter().getType() instanceof FlexjsonObjectFactory // deserialization method with specified class types in object factory is unlikely to be vulnerable
2329
}
2430
}
2531

java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import javax.servlet.http.HttpServletResponse;
77

88
import flexjson.JSONDeserializer;
9+
import flexjson.factories.ExistingObjectFactory;
910

1011
import com.example.User;
1112
import com.thirdparty.Person;
@@ -60,4 +61,22 @@ public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOEx
6061
String json = req.getParameter("json");
6162
Person person = fromJsonToPerson(json);
6263
}
64+
65+
// GOOD: Specify the concrete class type to `use` with `ObjectFactory`
66+
public void doPut3(HttpServletRequest req, HttpServletResponse resp) throws IOException {
67+
String json = req.getParameter("json");
68+
Person person = new JSONDeserializer<Person>().use(Person.class, new ExistingObjectFactory(new Person())).deserialize(json);
69+
}
70+
71+
// GOOD: Specify the concrete class type to deserialize with `ObjectFactory`
72+
public void doPut4(HttpServletRequest req, HttpServletResponse resp) throws IOException {
73+
String json = req.getParameter("json");
74+
Person person = new JSONDeserializer<Person>().deserialize(json, new ExistingObjectFactory(new Person()));
75+
}
76+
77+
// GOOD: Specify the class type to deserialize into
78+
public void doPut5(HttpServletRequest req, HttpServletResponse resp) throws IOException {
79+
String json = req.getParameter("json");
80+
Person person = new JSONDeserializer<Person>().deserializeInto(json, new Person());
81+
}
6382
}

java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -187,10 +187,10 @@ nodes
187187
| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] |
188188
| C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
189189
| C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
190-
| FlexjsonServlet.java:28:50:28:64 | getReader(...) | semmle.label | getReader(...) |
191-
| FlexjsonServlet.java:35:53:35:67 | getReader(...) | semmle.label | getReader(...) |
192-
| FlexjsonServlet.java:43:53:43:67 | getReader(...) | semmle.label | getReader(...) |
193-
| FlexjsonServlet.java:51:53:51:67 | getReader(...) | semmle.label | getReader(...) |
190+
| FlexjsonServlet.java:29:50:29:64 | getReader(...) | semmle.label | getReader(...) |
191+
| FlexjsonServlet.java:36:53:36:67 | getReader(...) | semmle.label | getReader(...) |
192+
| FlexjsonServlet.java:44:53:44:67 | getReader(...) | semmle.label | getReader(...) |
193+
| FlexjsonServlet.java:52:53:52:67 | getReader(...) | semmle.label | getReader(...) |
194194
| GsonActivity.java:15:35:15:97 | (...)... : Parcelable | semmle.label | (...)... : Parcelable |
195195
| GsonActivity.java:15:54:15:64 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
196196
| GsonServlet.java:39:23:39:46 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -258,10 +258,10 @@ nodes
258258
| C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization of $@. | C.java:79:43:79:70 | getParameter(...) | user input |
259259
| C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
260260
| C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
261-
| FlexjsonServlet.java:28:25:28:79 | deserialize(...) | FlexjsonServlet.java:28:50:28:64 | getReader(...) | FlexjsonServlet.java:28:50:28:64 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:28:50:28:64 | getReader(...) | user input |
262-
| FlexjsonServlet.java:35:28:35:68 | deserialize(...) | FlexjsonServlet.java:35:53:35:67 | getReader(...) | FlexjsonServlet.java:35:53:35:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:35:53:35:67 | getReader(...) | user input |
263-
| FlexjsonServlet.java:43:28:43:68 | deserialize(...) | FlexjsonServlet.java:43:53:43:67 | getReader(...) | FlexjsonServlet.java:43:53:43:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:43:53:43:67 | getReader(...) | user input |
264-
| FlexjsonServlet.java:51:28:51:82 | deserialize(...) | FlexjsonServlet.java:51:53:51:67 | getReader(...) | FlexjsonServlet.java:51:53:51:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:51:53:51:67 | getReader(...) | user input |
261+
| FlexjsonServlet.java:29:25:29:79 | deserialize(...) | FlexjsonServlet.java:29:50:29:64 | getReader(...) | FlexjsonServlet.java:29:50:29:64 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:29:50:29:64 | getReader(...) | user input |
262+
| FlexjsonServlet.java:36:28:36:68 | deserialize(...) | FlexjsonServlet.java:36:53:36:67 | getReader(...) | FlexjsonServlet.java:36:53:36:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:36:53:36:67 | getReader(...) | user input |
263+
| FlexjsonServlet.java:44:28:44:68 | deserialize(...) | FlexjsonServlet.java:44:53:44:67 | getReader(...) | FlexjsonServlet.java:44:53:44:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:44:53:44:67 | getReader(...) | user input |
264+
| FlexjsonServlet.java:52:28:52:82 | deserialize(...) | FlexjsonServlet.java:52:53:52:67 | getReader(...) | FlexjsonServlet.java:52:53:52:67 | getReader(...) | Unsafe deserialization of $@. | FlexjsonServlet.java:52:53:52:67 | getReader(...) | user input |
265265
| GsonServlet.java:44:26:44:66 | fromJson(...) | GsonServlet.java:39:23:39:46 | getParameter(...) : String | GsonServlet.java:44:40:44:43 | json | Unsafe deserialization of $@. | GsonServlet.java:39:23:39:46 | getParameter(...) | user input |
266266
| GsonServlet.java:60:26:60:66 | fromJson(...) | GsonServlet.java:53:23:53:46 | getParameter(...) : String | GsonServlet.java:60:40:60:43 | json | Unsafe deserialization of $@. | GsonServlet.java:53:23:53:46 | getParameter(...) | user input |
267267
| JabsorbServlet.java:102:32:102:93 | unmarshall(...) | JabsorbServlet.java:89:23:89:46 | getParameter(...) : String | JabsorbServlet.java:102:83:102:92 | jsonObject | Unsafe deserialization of $@. | JabsorbServlet.java:89:23:89:46 | getParameter(...) | user input |
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
package flexjson.factories;
2+
3+
import flexjson.ObjectBinder;
4+
import flexjson.ObjectFactory;
5+
6+
import java.lang.reflect.Type;
7+
8+
public class ExistingObjectFactory implements ObjectFactory {
9+
10+
public ExistingObjectFactory(Object source) {
11+
}
12+
13+
@Override
14+
public Object instantiate(ObjectBinder context, Object value, Type targetType, Class targetClass) {
15+
return null;
16+
}
17+
}

0 commit comments

Comments
 (0)