Java: convert UnsafeDeserialization test to .qlref

Author: d10c

java/ql/test/query-tests/security/CWE-502/A.java

@@ -11,15 +11,15 @@
 
 public class A {
   public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     ObjectInputStream in = new ObjectInputStream(inputStream);
-    return in.readObject(); // $unsafeDeserialization
+    return in.readObject(); // $ Alert
   }
 
   public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     ObjectInputStream in = new ObjectInputStream(inputStream);
-    return in.readUnshared(); // $unsafeDeserialization
+    return in.readUnshared(); // $ Alert
   }
 
   public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOException, ClassNotFoundException {
@@ -29,24 +29,24 @@ public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOExceptio
   }
 
   public Object deserialize3(Socket sock) throws java.io.IOException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     XMLDecoder d = new XMLDecoder(inputStream);
-    return d.readObject(); // $unsafeDeserialization
+    return d.readObject(); // $ Alert
   }
 
   public Object deserialize4(Socket sock) throws java.io.IOException {
     XStream xs = new XStream();
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     Reader reader = new InputStreamReader(inputStream);
-    return xs.fromXML(reader); // $unsafeDeserialization
+    return xs.fromXML(reader); // $ Alert
   }
 
   public void deserialize5(Socket sock) throws java.io.IOException {
     Kryo kryo = new Kryo();
-    Input input = new Input(sock.getInputStream());
-    A a1 = kryo.readObject(input, A.class); // $unsafeDeserialization
-    A a2 = kryo.readObjectOrNull(input, A.class); // $unsafeDeserialization
-    Object o = kryo.readClassAndObject(input); // $unsafeDeserialization
+    Input input = new Input(sock.getInputStream()); // $ Source
+    A a1 = kryo.readObject(input, A.class); // $ Alert
+    A a2 = kryo.readObjectOrNull(input, A.class); // $ Alert
+    Object o = kryo.readClassAndObject(input); // $ Alert
   }
 
   private Kryo getSafeKryo() throws java.io.IOException {
@@ -64,22 +64,22 @@ public void deserialize6(Socket sock) throws java.io.IOException {
 
   public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml();
-    InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); // $unsafeDeserialization
-    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
-    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
-    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
+    InputStream input = sock.getInputStream(); // $ Source
+    Object o = yaml.load(input); // $ Alert
+    Object o2 = yaml.loadAll(input); // $ Alert
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
+    A o4 = yaml.loadAs(input, A.class); // $ Alert
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
   }
 
   public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor());
-    InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); // $unsafeDeserialization
-    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
-    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
-    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
+    InputStream input = sock.getInputStream(); // $ Source
+    Object o = yaml.load(input); // $ Alert
+    Object o2 = yaml.loadAll(input); // $ Alert
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
+    A o4 = yaml.loadAs(input, A.class); // $ Alert
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
   }
 
   public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
@@ -94,11 +94,11 @@ public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
 
   public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor(A.class));
-    InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); // $unsafeDeserialization
-    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
-    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
-    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
+    InputStream input = sock.getInputStream(); // $ Source
+    Object o = yaml.load(input); // $ Alert
+    Object o2 = yaml.loadAll(input); // $ Alert
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
+    A o4 = yaml.loadAs(input, A.class); // $ Alert
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
   }
 }

java/ql/test/query-tests/security/CWE-502/B.java

@@ -4,30 +4,30 @@
 
 public class B {
   public Object deserializeJson1(Socket sock) throws java.io.IOException {
-    InputStream inputStream = sock.getInputStream();
-    return JSON.parseObject(inputStream, null); // $unsafeDeserialization
+    InputStream inputStream = sock.getInputStream(); // $ Source
+    return JSON.parseObject(inputStream, null); // $ Alert
   }
 
   public Object deserializeJson2(Socket sock) throws java.io.IOException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
-    return JSON.parse(bytes); // $unsafeDeserialization
+    return JSON.parse(bytes); // $ Alert
   }
 
   public Object deserializeJson3(Socket sock) throws java.io.IOException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
     String s = new String(bytes);
-    return JSON.parseObject(s); // $unsafeDeserialization
+    return JSON.parseObject(s); // $ Alert
   }
 
   public Object deserializeJson4(Socket sock) throws java.io.IOException {
-    InputStream inputStream = sock.getInputStream();
+    InputStream inputStream = sock.getInputStream(); // $ Source
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
     String s = new String(bytes);
-    return JSON.parse(s); // $unsafeDeserialization
+    return JSON.parse(s); // $ Alert
   }
 }

java/ql/test/query-tests/security/CWE-502/C.java

@@ -20,75 +20,75 @@ public class C {
 
 	@GetMapping(value = "jyaml")
 	public void bad1(HttpServletRequest request) throws Exception {
-		String data = request.getParameter("data");
-		Yaml.load(data);  // $unsafeDeserialization
-		Yaml.loadStream(data);  // $unsafeDeserialization
-		Yaml.loadStreamOfType(data, Object.class);  // $unsafeDeserialization
-		Yaml.loadType(data, Object.class);  // $unsafeDeserialization
+		String data = request.getParameter("data"); // $ Source
+		Yaml.load(data);  // $ Alert
+		Yaml.loadStream(data);  // $ Alert
+		Yaml.loadStreamOfType(data, Object.class);  // $ Alert
+		Yaml.loadType(data, Object.class);  // $ Alert
 
 		org.ho.yaml.YamlConfig yamlConfig = new YamlConfig();
-		yamlConfig.load(data);  // $unsafeDeserialization
-		yamlConfig.loadStream(data);  // $unsafeDeserialization
-		yamlConfig.loadStreamOfType(data, Object.class);  // $unsafeDeserialization
-		yamlConfig.loadType(data, Object.class);  // $unsafeDeserialization
+		yamlConfig.load(data);  // $ Alert
+		yamlConfig.loadStream(data);  // $ Alert
+		yamlConfig.loadStreamOfType(data, Object.class);  // $ Alert
+		yamlConfig.loadType(data, Object.class);  // $ Alert
 	}
 
 	@GetMapping(value = "jsonio")
 	public void bad2(HttpServletRequest request) {
-		String data = request.getParameter("data");
+		String data = request.getParameter("data"); // $ Source
 
 		HashMap hashMap = new HashMap();
 		hashMap.put("USE_MAPS", true);
 
-		JsonReader.jsonToJava(data); // $unsafeDeserialization
+		JsonReader.jsonToJava(data); // $ Alert
 
 		JsonReader jr = new JsonReader(data, null);
-		jr.readObject(); // $unsafeDeserialization
+		jr.readObject(); // $ Alert
 	}
 
 	@GetMapping(value = "yamlbeans")
 	public void bad3(HttpServletRequest request) throws Exception {
-		String data = request.getParameter("data");
+		String data = request.getParameter("data"); // $ Source
 		YamlReader r = new YamlReader(data);
-		r.read(); // $unsafeDeserialization
-		r.read(Object.class); // $unsafeDeserialization
-		r.read(Object.class, Object.class); // $unsafeDeserialization
+		r.read(); // $ Alert
+		r.read(Object.class); // $ Alert
+		r.read(Object.class, Object.class); // $ Alert
 	}
 
         @GetMapping(value = "hessian")
 	public void bad4(HttpServletRequest request) throws Exception {
-		byte[] bytes = request.getParameter("data").getBytes();
+		byte[] bytes = request.getParameter("data").getBytes(); // $ Source
 		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
 		HessianInput hessianInput = new HessianInput(bis);
-		hessianInput.readObject(); // $unsafeDeserialization
-		hessianInput.readObject(Object.class); // $unsafeDeserialization
+		hessianInput.readObject(); // $ Alert
+		hessianInput.readObject(Object.class); // $ Alert
 	}
 
 	@GetMapping(value = "hessian2")
 	public void bad5(HttpServletRequest request) throws Exception {
-		byte[] bytes = request.getParameter("data").getBytes();
+		byte[] bytes = request.getParameter("data").getBytes(); // $ Source
 		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
 		Hessian2Input hessianInput = new Hessian2Input(bis);
-		hessianInput.readObject(); // $unsafeDeserialization
-		hessianInput.readObject(Object.class); // $unsafeDeserialization
+		hessianInput.readObject(); // $ Alert
+		hessianInput.readObject(Object.class); // $ Alert
 	}
 
     @GetMapping(value = "castor")
 	public void bad6(HttpServletRequest request) throws Exception {
 		Unmarshaller unmarshaller = new Unmarshaller();
-		unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $unsafeDeserialization
+		unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $ Alert
 	}
 
     @GetMapping(value = "burlap")
 	public void bad7(HttpServletRequest request) throws Exception {
-		byte[] serializedData = request.getParameter("data").getBytes();
+		byte[] serializedData = request.getParameter("data").getBytes(); // $ Source
 		ByteArrayInputStream is = new ByteArrayInputStream(serializedData);
 		BurlapInput burlapInput = new BurlapInput(is);
-		burlapInput.readObject(); // $unsafeDeserialization
+		burlapInput.readObject(); // $ Alert
 
         BurlapInput burlapInput1 = new BurlapInput();
 		burlapInput1.init(is);
-		burlapInput1.readObject(); // $unsafeDeserialization
+		burlapInput1.readObject(); // $ Alert
 	}
 
 	@GetMapping(value = "jsonio1")

java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java

@@ -33,23 +33,23 @@ public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOEx
     // BAD: allow class name to be controlled by remote source
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         JSONDeserializer<User> deserializer = new JSONDeserializer<>();
-        User user = (User) deserializer.deserialize(req.getReader()); // $unsafeDeserialization
+        User user = (User) deserializer.deserialize(req.getReader()); // $ Alert
 
     }
 
     @Override
     // BAD: allow class name to be controlled by remote source
     public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         JSONDeserializer deserializer = new JSONDeserializer<>();
-        User user = (User) deserializer.deserialize(req.getReader()); // $unsafeDeserialization
+        User user = (User) deserializer.deserialize(req.getReader()); // $ Alert
 
     }
 
     @Override
     // BAD: specify overly generic class type
     public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         JSONDeserializer deserializer = new JSONDeserializer();
-        User user = (User) deserializer.deserialize(req.getReader(), Object.class); // $unsafeDeserialization
+        User user = (User) deserializer.deserialize(req.getReader(), Object.class); // $ Alert
     }
 
     private Person fromJsonToPerson(String json) {
@@ -64,8 +64,8 @@ public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOEx
 
     // BAD: Specify a concrete class type to `use` with `ObjectFactory`
     public void doPut3(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        String json = req.getParameter("json");
-        Person person = new JSONDeserializer<Person>().use(Person.class, new ExistingObjectFactory(new Person())).deserialize(json); // $unsafeDeserialization
+        String json = req.getParameter("json"); // $ Source
+        Person person = new JSONDeserializer<Person>().use(Person.class, new ExistingObjectFactory(new Person())).deserialize(json); // $ Alert
     }
 
     // GOOD: Specify a null path to `use` with a concrete class type
@@ -76,8 +76,8 @@ public void doPut4(HttpServletRequest req, HttpServletResponse resp) throws IOEx
 
     // BAD: Specify a non-null json path to `use` with a concrete class type
     public void doPut5(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        String json = req.getParameter("json");
-        Person person = new JSONDeserializer<Person>().use("abc", Person.class).deserialize(json); // $unsafeDeserialization
+        String json = req.getParameter("json"); // $ Source
+        Person person = new JSONDeserializer<Person>().use("abc", Person.class).deserialize(json); // $ Alert
     }
 
     // GOOD: Specify a null json path to `use` with `ObjectFactory`
@@ -116,11 +116,11 @@ public void doPut10(HttpServletRequest req, HttpServletResponse resp) throws IOE
 
     // BAD: Specify a non-null json path to `use` with a concrete class type, interwoven with irrelevant use directives, without using fluent method chaining
     public void doPut11(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        String json = req.getParameter("json");
+        String json = req.getParameter("json"); // $ Source
         JSONDeserializer<Person> deserializer = new JSONDeserializer<Person>();
         deserializer.use(Person.class, null);
         deserializer.use("someKey", Person.class);
         deserializer.use(String.class, null);
-        Person person = deserializer.deserialize(json); // $unsafeDeserialization
+        Person person = deserializer.deserialize(json); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-502/GsonActivity.java

@@ -5,13 +5,13 @@
 import android.os.Parcel;
 import android.os.Parcelable;
 
-import com.google.gson.Gson; 
+import com.google.gson.Gson;
 
 public class GsonActivity extends Activity {
     public void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
         setContentView(-1);
 
-        ParcelableEntity entity = (ParcelableEntity) getIntent().getParcelableExtra("jsonEntity");
+        ParcelableEntity entity = (ParcelableEntity) getIntent().getParcelableExtra("jsonEntity"); // $ Source
     }
 }

java/ql/test/query-tests/security/CWE-502/GsonServlet.java

@@ -36,12 +36,12 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc
     @Override
     // BAD: allow class name to be controlled by remote source
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        String json = req.getParameter("json");
+        String json = req.getParameter("json"); // $ Source
         String clazz = req.getParameter("class");
 
         try {
             Gson gson = new Gson();
-            Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization
+            Object obj = gson.fromJson(json, Class.forName(clazz)); // $ Alert
         } catch (ClassNotFoundException cne) {
             throw new IOException(cne.getMessage());
         }
@@ -50,14 +50,14 @@ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOEx
     @Override
     // BAD: allow class name to be controlled by remote source even with a type adapter factory
     public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-        String json = req.getParameter("json");
+        String json = req.getParameter("json"); // $ Source
         String clazz = req.getParameter("class");
 
         try {
             RuntimeTypeAdapterFactory<User> runtimeTypeAdapterFactory = RuntimeTypeAdapterFactory
             .of(User.class, "type");
             Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create();
-            Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization
+            Object obj = gson.fromJson(json, Class.forName(clazz)); // $ Alert
         } catch (ClassNotFoundException cne) {
             throw new IOException(cne.getMessage());
         }
@@ -74,4 +74,4 @@ public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOE
         Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create();
         Person obj = gson.fromJson(json, Person.class);
     }
-}
+}