Skip to content

Commit 34fae32

Browse files
owen-mcowen-mc
committed
Add test for ObjectInput.readObject
1 parent 006d77f commit 34fae32

File tree

4 files changed

+245
-112
lines changed

4 files changed

+245
-112
lines changed

java/ql/test/query-tests/security/CWE-502/A.java

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
1+
package unsafedeserialization;
2+
13
import java.io.*;
24
import java.net.Socket;
35
import java.beans.XMLDecoder;
6+
import com.example.MyObjectInput;
47
import com.thoughtworks.xstream.XStream;
58
import com.esotericsoftware.kryo.Kryo;
69
import com.esotericsoftware.kryo.io.Input;
@@ -10,13 +13,23 @@
1013
import org.nibblesec.tools.SerialKiller;
1114

1215
public class A {
13-
public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
16+
public Object deserialize1a(Socket sock) throws java.io.IOException, ClassNotFoundException {
1417
InputStream inputStream = sock.getInputStream(); // $ Source
1518
ObjectInputStream in = new ObjectInputStream(inputStream);
1619
return in.readObject(); // $ Alert
1720
}
1821

19-
public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
22+
public Object deserialize2() throws java.io.IOException, ClassNotFoundException {
23+
ObjectInput objectInput = A.getTaintedObjectInput(); // $ MISSING: Source
24+
return objectInput.readObject(); // $ MISSING: Alert
25+
}
26+
27+
public Object deserialize3() throws java.io.IOException, ClassNotFoundException {
28+
MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ MISSING: Source
29+
return objectInput.readObject(); // $ MISSING: Alert
30+
}
31+
32+
public Object deserialize4(Socket sock) throws java.io.IOException, ClassNotFoundException {
2033
InputStream inputStream = sock.getInputStream(); // $ Source
2134
ObjectInputStream in = new ObjectInputStream(inputStream);
2235
return in.readUnshared(); // $ Alert
@@ -28,20 +41,20 @@ public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOExceptio
2841
return in.readUnshared(); // OK
2942
}
3043

31-
public Object deserialize3(Socket sock) throws java.io.IOException {
44+
public Object deserialize5(Socket sock) throws java.io.IOException {
3245
InputStream inputStream = sock.getInputStream(); // $ Source
3346
XMLDecoder d = new XMLDecoder(inputStream);
3447
return d.readObject(); // $ Alert
3548
}
3649

37-
public Object deserialize4(Socket sock) throws java.io.IOException {
50+
public Object deserialize6(Socket sock) throws java.io.IOException {
3851
XStream xs = new XStream();
3952
InputStream inputStream = sock.getInputStream(); // $ Source
4053
Reader reader = new InputStreamReader(inputStream);
4154
return xs.fromXML(reader); // $ Alert
4255
}
4356

44-
public void deserialize5(Socket sock) throws java.io.IOException {
57+
public void deserialize7(Socket sock) throws java.io.IOException {
4558
Kryo kryo = new Kryo();
4659
Input input = new Input(sock.getInputStream()); // $ Source
4760
A a1 = kryo.readObject(input, A.class); // $ Alert
@@ -56,7 +69,7 @@ private Kryo getSafeKryo() throws java.io.IOException {
5669
return kryo;
5770
}
5871

59-
public void deserialize6(Socket sock) throws java.io.IOException {
72+
public void deserialize8(Socket sock) throws java.io.IOException {
6073
Kryo kryo = getSafeKryo();
6174
Input input = new Input(sock.getInputStream());
6275
Object o = kryo.readClassAndObject(input); // OK
@@ -101,4 +114,8 @@ public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
101114
A o4 = yaml.loadAs(input, A.class); // $ Alert
102115
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
103116
}
117+
118+
static ObjectInput getTaintedObjectInput() { return null; }
119+
120+
static MyObjectInput getTaintedMyObjectInput() { return null; }
104121
}

0 commit comments

Comments
 (0)