Skip to content

Add unsafe-deserialization support for Jabsorb #6419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 5, 2021
Merged

Add unsafe-deserialization support for Jabsorb #6419

merged 3 commits into from
Aug 5, 2021

Conversation

smowton
Copy link
Contributor

@smowton smowton commented Aug 4, 2021

This is partly extracted from #5954

@smowton smowton requested a review from a team as a code owner August 4, 2021 14:37
@smowton smowton mentioned this pull request Aug 4, 2021
Closed
aschackmull
aschackmull reviewed Aug 4, 2021
View reviewed changes
java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll Outdated
predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() |
m.getReturnType() instanceof JacksonTypeDescriptorType and
m.getName().toLowerCase().regexpMatch("(?i).*(resolve|load|class|type).*") and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
m.getName().toLowerCase().regexpMatch("(?i).*(resolve|load|class|type).*") and
m.getName().regexpMatch("(?i).*(resolve|load|class|type).*") and

aschackmull
aschackmull reviewed Aug 4, 2021
View reviewed changes
java/ql/src/semmle/code/java/frameworks/Jackson.qll
@@ -77,14 +77,6 @@ class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
}
}

/** Holds if `fromNode` to `toNode` is a dataflow step that resolves a class. */
predicate resolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(ReflectiveClassIdentifierMethodAccess ma |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did this removal make any imports superfluous in this file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, removed one

aschackmull
aschackmull reviewed Aug 4, 2021
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, otherwise LGTM.

@smowton
Code review suggestions
5a42448 
- Remove unneeded import
- Remove unnecessary `toLowerCase` call
@smowton
Copy link
Contributor Author

smowton commented Aug 4, 2021

@aschackmull done

@aschackmull aschackmull merged commit 1932f60 into github:main Aug 5, 2021
Marcono1234
Marcono1234 reviewed Aug 6, 2021
View reviewed changes
java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
or
ma.getMethod() instanceof JabsorbUnmarshallMethod
) and
// Note `JacksonTypeDescriptorType` includes plain old `java.lang.Class`
arg.getType() instanceof JacksonTypeDescriptorType and
Copy link
Contributor

@Marcono1234 Marcono1234 Aug 6, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should JacksonTypeDescriptorType now be refactored as well given that the predicates using it are not exclusively used for Jackson anymore?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Marcono1234 Marcono1234 Marcono1234 left review comments

@aschackmull aschackmull aschackmull approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smowton @Marcono1234 @aschackmull