Add the sanitizer of Flexjson

luchua-bc · luchua-bc · commit bcf9ed570381 · 2021-06-13T03:08:56.000Z
diff --git a/java/ql/src/semmle/code/java/frameworks/Flexjson.qll b/java/ql/src/semmle/code/java/frameworks/Flexjson.qll
@@ -37,3 +37,15 @@ class FlexjsonSerializeMethod extends Method {
     this.hasName(["serialize", "deepSerialize"])
   }
 }
+
+/** The method `use` to configure allowed class type. */
+class DeserializerUseMethod extends Method {
+  DeserializerUseMethod() {
+    (
+      this.getDeclaringType().(ParameterizedType).getGenericType() instanceof FlexjsonDeserializer or
+      this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+        FlexjsonDeserializer
+    ) and
+    this.hasName("use")
+  }
+}
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -264,9 +264,18 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     or
     m instanceof FlexjsonDeserializeMethod and
     sink = ma.getArgument(0) and
-    not exists(TypeLiteral tl |
-      ma.getArgument(1) = tl and
-      tl.getType().(ParameterizedType).getATypeArgument().(Class).isFinal()
+    (
+      not exists(TypeLiteral tl |
+        ma.getArgument(1) = tl and
+        tl.getType().(ParameterizedType).getATypeArgument().(Class).isFinal()
+      ) and
+      not exists(MethodAccess dma |
+        dma.getMethod() instanceof DeserializerUseMethod and
+        (
+          ma.getQualifier() = dma or
+          ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier()
+        )
+      )
     )
     or
     m instanceof JoddJsonParseMethod and
diff --git a/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java b/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java
@@ -50,4 +50,14 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc
         JSONDeserializer deserializer = new JSONDeserializer();
         User user = (User) deserializer.deserialize(req.getReader(), Object.class);
     }
+
+    private Person fromJsonToPerson(String json) {
+        return new JSONDeserializer<Person>().use(null, Person.class).deserialize(json);
+    }
+
+    // GOOD: Specify the class to deserialize with `use`
+    public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        Person person = fromJsonToPerson(json);
+    }
 }
