Update the query and add comments

luchua-bc · luchua-bc · commit fed714280997 · 2021-06-30T14:09:48.000Z
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -72,23 +72,23 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
         ma.getMethod() instanceof FlexjsonDeserializeMethod or
         ma.getMethod() instanceof JoddJsonParseMethod
       ) and
-      node.asExpr() = ma.getArgument(0) and
+      node.asExpr() = ma.getAnArgument() and
       (
         ma.getArgument(1)
             .(TypeLiteral)
             .getType()
             .(ParameterizedType)
             .getATypeArgument()
             .(Class)
-            .isFinal()
+            .isFinal() // jodd.json.JsonParser parser = new JsonParser(); parser.allowClass("com.example.*"); parser.setClassMetadataName("class"); User obj = parser.parse(json, User.class);
         or
         exists(
           MethodAccess dma // Specified class type
         |
           dma.getMethod() instanceof DeserializerUseMethod and
           (
             ma.getQualifier() = dma or
-            ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier()
+            ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier() // new flexjson.JSONDeserializer<Person>().use(null, Person.class).deserialize(json)
           )
         )
       )
diff --git a/java/ql/src/semmle/code/java/frameworks/Flexjson.qll b/java/ql/src/semmle/code/java/frameworks/Flexjson.qll
@@ -19,7 +19,7 @@ class FlexjsonDeserializeMethod extends Method {
   FlexjsonDeserializeMethod() {
     this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
       FlexjsonDeserializer and
-    this.getName().matches("deserialize%")
+    this.getName() = ["deserialize", "deserializeInto"]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -72,23 +72,23 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {`
`72`	`72`	`ma.getMethod() instanceof FlexjsonDeserializeMethod or`
`73`	`73`	`ma.getMethod() instanceof JoddJsonParseMethod`
`74`	`74`	`) and`
`75`		`- node.asExpr() = ma.getArgument(0) and`
	`75`	`+ node.asExpr() = ma.getAnArgument() and`
`76`	`76`	`(`
`77`	`77`	`ma.getArgument(1)`
`78`	`78`	`.(TypeLiteral)`
`79`	`79`	`.getType()`
`80`	`80`	`.(ParameterizedType)`
`81`	`81`	`.getATypeArgument()`
`82`	`82`	`.(Class)`
`83`		`- .isFinal()`
	`83`	`+ .isFinal() // jodd.json.JsonParser parser = new JsonParser(); parser.allowClass("com.example.*"); parser.setClassMetadataName("class"); User obj = parser.parse(json, User.class);`
`84`	`84`	`or`
`85`	`85`	`exists(`
`86`	`86`	`MethodAccess dma // Specified class type`
`87`	`87`	`\|`
`88`	`88`	`dma.getMethod() instanceof DeserializerUseMethod and`
`89`	`89`	`(`
`90`	`90`	`ma.getQualifier() = dma or`
`91`		`- ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier()`
	`91`	`+ ma.getQualifier().(VarAccess).getVariable().getAnAccess() = dma.getQualifier() // new flexjson.JSONDeserializer<Person>().use(null, Person.class).deserialize(json)`
`92`	`92`	`)`
`93`	`93`	`)`
`94`	`94`	`)`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class FlexjsonDeserializeMethod extends Method {`
`19`	`19`	`FlexjsonDeserializeMethod() {`
`20`	`20`	`this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof`
`21`	`21`	`FlexjsonDeserializer and`
`22`		`- this.getName().matches("deserialize%")`
	`22`	`+ this.getName() = ["deserialize", "deserializeInto"]`
`23`	`23`	`}`
`24`	`24`	`}`
`25`	`25`