import javaimport semmle.code.java.frameworks.Kryoimport semmle.code.java.fram

1. import java
2. import semmle.code.java.frameworks.Kryo
3. import semmle.code.java.frameworks.XStream
4. import semmle.code.java.frameworks.SnakeYaml
5.  
6. class ObjectInputStreamReadObjectMethod extends Method {
7. ObjectInputStreamReadObjectMethod() {
8. this.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.io", "ObjectInputStream") and
9. (this.hasName("readObject") or this.hasName("readUnshared"))
10. }
11. }
12.  
13. class XMLDecoderReadObjectMethod extends Method {
14. XMLDecoderReadObjectMethod() {
15. this.getDeclaringType().hasQualifiedName("java.beans", "XMLDecoder") and
16. this.hasName("readObject")
17. }
18. }
19.  
20. class SafeXStream extends DataFlow2::Configuration {
21. SafeXStream() { this = "UnsafeDeserialization::SafeXStream" }
22. override predicate isSource(DataFlow::Node src) {
23. any(XStreamEnableWhiteListing ma).getQualifier().(VarAccess).getVariable().getAnAccess() = src.asExpr()
24. }
25. override predicate isSink(DataFlow::Node sink) {
26. exists(MethodAccess ma |
27. sink.asExpr() = ma.getQualifier() and
28. ma.getMethod() instanceof XStreamReadObjectMethod
29. )
30. }
31. }
32.  
33. class SafeKryo extends DataFlow2::Configuration {
34. SafeKryo() { this = "UnsafeDeserialization::SafeKryo" }
35. override predicate isSource(DataFlow::Node src) {
36. any(KryoEnableWhiteListing ma).getQualifier().(VarAccess).getVariable().getAnAccess() = src.asExpr()
37. }
38. override predicate isSink(DataFlow::Node sink) {
39. exists(MethodAccess ma |
40. sink.asExpr() = ma.getQualifier() and
41. ma.getMethod() instanceof KryoReadObjectMethod
42. )
43. }
44. }
45.  
46. predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
47. exists(Method m | m = ma.getMethod() |
48. m instanceof ObjectInputStreamReadObjectMethod and
49. sink = ma.getQualifier()
50. or
51. m instanceof XMLDecoderReadObjectMethod and
52. sink = ma.getQualifier()
53. or
54. m instanceof XStreamReadObjectMethod and
55. sink = ma.getAnArgument() and
56. not exists(SafeXStream sxs | sxs.hasFlowToExpr(ma.getQualifier()))
57. or
58. m instanceof KryoReadObjectMethod and
59. sink = ma.getAnArgument() and
60. not exists(SafeKryo sk | sk.hasFlowToExpr(ma.getQualifier()))
61. or
62. ma instanceof UnsafeSnakeYamlParse and
63. sink = ma.getArgument(0)
64. )
65. }
66.  
67. class UnsafeDeserializationSink extends DataFlow::ExprNode {
68. UnsafeDeserializationSink() {
69. unsafeDeserialization(_, this.getExpr())
70. }
71. MethodAccess getMethodAccess() { unsafeDeserialization(result, this.getExpr()) }
72. }