Add the sanitizer of Flexjson

Author: luchua-bc

java/ql/src/semmle/code/java/frameworks/Flexjson.qll

@@ -17,23 +17,26 @@ class FlexjsonSerializer extends RefType {
 /** The deserialization method `deserialize`. */
 class FlexjsonDeserializeMethod extends Method {
   FlexjsonDeserializeMethod() {
-    (
-      this.getDeclaringType().(ParameterizedType).getGenericType() instanceof FlexjsonDeserializer or
-      this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
-        FlexjsonDeserializer
-    ) and
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+      FlexjsonDeserializer and
     this.getName().matches("deserialize%")
   }
 }
 
 /** The serialization method `serialize`. */
 class FlexjsonSerializeMethod extends Method {
   FlexjsonSerializeMethod() {
-    (
-      this.getDeclaringType().(ParameterizedType).getGenericType() instanceof FlexjsonSerializer or
-      this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
-        FlexjsonSerializer
-    ) and
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+      FlexjsonSerializer and
     this.hasName(["serialize", "deepSerialize"])
   }
 }
+
+/** The method `use` to configure allowed class type. */
+class DeserializerUseMethod extends Method {
+  DeserializerUseMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+      FlexjsonDeserializer and
+    this.hasName("use")
+  }
+}

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll

@@ -264,9 +264,18 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     or
     m instanceof FlexjsonDeserializeMethod and
     sink = ma.getArgument(0) and
-    not exists(TypeLiteral tl |
-      ma.getArgument(1) = tl and
-      tl.getType().(ParameterizedType).getATypeArgument().(Class).isFinal()
+    (
+      not exists(TypeLiteral tl |
+        ma.getArgument(1) = tl and
+        tl.getType().(ParameterizedType).getATypeArgument().(Class).isFinal()
+      ) and
+      not exists(MethodAccess dma |
+        dma.getMethod() instanceof DeserializerUseMethod and
+        (
+          ma.getQualifier() = dma or
+          ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier()
+        )
+      )
     )
     or
     m instanceof JoddJsonParseMethod and

java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java

@@ -50,4 +50,14 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc
         JSONDeserializer deserializer = new JSONDeserializer();
         User user = (User) deserializer.deserialize(req.getReader(), Object.class);
     }
+
+    private Person fromJsonToPerson(String json) {
+        return new JSONDeserializer<Person>().use(null, Person.class).deserialize(json);
+    }
+
+    // GOOD: Specify the class to deserialize with `use`
+    public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        Person person = fromJsonToPerson(json);
+    }
 }