Add sink for ObjectInput.readObject to make test pass

Author: owen-mc

java/ql/lib/semmle/code/java/JDK.qll

@@ -211,6 +211,11 @@ class TypeObjectOutputStream extends RefType {
   TypeObjectOutputStream() { this.hasQualifiedName("java.io", "ObjectOutputStream") }
 }
 
+/** The type `java.io.ObjectInput`. */
+class TypeObjectInput extends RefType {
+  TypeObjectInput() { this.hasQualifiedName("java.io", "ObjectInput") }
+}
+
 /** The type `java.io.ObjectInputStream`. */
 class TypeObjectInputStream extends RefType {
   TypeObjectInputStream() { this.hasQualifiedName("java.io", "ObjectInputStream") }

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -23,10 +23,17 @@ private import semmle.code.java.frameworks.google.Gson
 private import semmle.code.java.frameworks.apache.Lang
 private import semmle.code.java.Reflection
 
-private class ObjectInputStreamReadObjectMethod extends Method {
-  ObjectInputStreamReadObjectMethod() {
+private class ObjectInputReadObjectMethod extends Method {
+  ObjectInputReadObjectMethod() {
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInput and
+    this.hasName("readObject")
+  }
+}
+
+private class ObjectInputStreamReadUnsharedMethod extends Method {
+  ObjectInputStreamReadUnsharedMethod() {
     this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInputStream and
-    (this.hasName("readObject") or this.hasName("readUnshared"))
+    this.hasName("readUnshared")
   }
 }
 
@@ -147,7 +154,11 @@ private module SafeKryoFlow = DataFlow::Global<SafeKryoConfig>;
  */
 predicate unsafeDeserialization(MethodCall ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
-    m instanceof ObjectInputStreamReadObjectMethod and
+    m instanceof ObjectInputReadObjectMethod and
+    sink = ma.getQualifier() and
+    not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
+    or
+    m instanceof ObjectInputStreamReadUnsharedMethod and
     sink = ma.getQualifier() and
     not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
     or

java/ql/test/query-tests/security/CWE-502/A.java

@@ -20,13 +20,13 @@ public Object deserialize1a(Socket sock) throws java.io.IOException, ClassNotFou
   }
 
   public Object deserialize2() throws java.io.IOException, ClassNotFoundException {
-    ObjectInput objectInput = A.getTaintedObjectInput(); // $ MISSING: Source
-    return objectInput.readObject(); // $ MISSING: Alert
+    ObjectInput objectInput = A.getTaintedObjectInput(); // $ Source
+    return objectInput.readObject(); // $ Alert
   }
 
   public Object deserialize3() throws java.io.IOException, ClassNotFoundException {
-    MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ MISSING: Source
-    return objectInput.readObject(); // $ MISSING: Alert
+    MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ Source
+    return objectInput.readObject(); // $ Alert
   }
 
   public Object deserialize4(Socket sock) throws java.io.IOException, ClassNotFoundException {