|
12 | 12 | */ |
13 | 13 |
|
14 | 14 | import java |
15 | | -import semmle.code.java.dataflow.FlowSources |
16 | | -import semmle.code.java.security.UnsafeDeserialization |
| 15 | +import semmle.code.java.security.UnsafeDeserializationQuery |
17 | 16 | import DataFlow::PathGraph |
18 | 17 |
|
19 | | -class UnsafeDeserializationConfig extends TaintTracking::Configuration { |
20 | | - UnsafeDeserializationConfig() { this = "UnsafeDeserializationConfig" } |
21 | | - |
22 | | - override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } |
23 | | - |
24 | | - override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } |
25 | | - |
26 | | - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { |
27 | | - exists(ClassInstanceExpr cie | |
28 | | - cie.getArgument(0) = pred.asExpr() and |
29 | | - cie = succ.asExpr() and |
30 | | - ( |
31 | | - cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or |
32 | | - cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or |
33 | | - cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or |
34 | | - cie.getConstructor().getDeclaringType() instanceof BurlapInput |
35 | | - ) |
36 | | - ) |
37 | | - or |
38 | | - exists(MethodAccess ma | |
39 | | - ma.getMethod() instanceof BurlapInputInitMethod and |
40 | | - ma.getArgument(0) = pred.asExpr() and |
41 | | - ma.getQualifier() = succ.asExpr() |
42 | | - ) |
43 | | - or |
44 | | - createJacksonJsonParserStep(pred, succ) |
45 | | - or |
46 | | - createJacksonTreeNodeStep(pred, succ) |
47 | | - } |
48 | | - |
49 | | - override predicate isSanitizer(DataFlow::Node node) { |
50 | | - exists(ClassInstanceExpr cie | |
51 | | - cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and |
52 | | - cie = node.asExpr() and |
53 | | - exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1))) |
54 | | - ) |
55 | | - or |
56 | | - exists(MethodAccess ma | |
57 | | - ma.getMethod() instanceof JsonIoJsonToJavaMethod and |
58 | | - ma.getArgument(0) = node.asExpr() and |
59 | | - exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1))) |
60 | | - ) |
61 | | - } |
62 | | -} |
63 | | - |
64 | 18 | from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf |
65 | 19 | where conf.hasFlowPath(source, sink) |
66 | 20 | select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink, |
|
0 commit comments