Add UnsafeDeserialization

Author: haby0

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, Hessian, JsonIO, YAMLBeans, Castor, Burlap, 
+and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
 SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
+<li>
+Hessian deserialization and related gadget chains:
+<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
+</li>
+<li>
+Castor and Hessian java deserialization vulnerabilities:
+<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
+</li>
+<li>
+Remote code execution in JYaml library:
+<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
+</li>
+<li>
+JsonIO deserialization vulnerabilities:
+<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
+</li>
 </references>
 
 </qhelp>

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

@@ -21,6 +21,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonReader and
+      cie.getArgument(0) = prod.asExpr() and
+      cie = succ.asExpr() and
+      not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof YamlReader and
+      cie.getArgument(0) = prod.asExpr() and
+      cie = succ.asExpr()
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof UnSafeHessianInput and
+      cie.getArgument(0) = prod.asExpr() and
+      cie = succ.asExpr()
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof BurlapInput and
+      cie.getArgument(0) = prod.asExpr() and
+      cie = succ.asExpr()
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = prod.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf

java/ql/src/semmle/code/java/frameworks/Castor.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the Castor framework.
+ */
+
+import java
+
+/**
+ * The class `org.exolab.castor.xml.Unmarshaller`.
+ */
+class Unmarshaller extends RefType {
+  Unmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
+}
+
+/** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
+class UnmarshalMethod extends Method {
+  UnmarshalMethod() {
+    this.getDeclaringType() instanceof Unmarshaller and
+    this.getName() = "unmarshal"
+  }
+}

java/ql/src/semmle/code/java/frameworks/Hessian.qll

@@ -0,0 +1,47 @@
+/**
+ * Provides classes and predicates for working with the Hession framework.
+ */
+
+import java
+
+/**
+ * The class `com.caucho.hessian.io.HessianInput` or `com.caucho.hessian.io.Hessian2Input`.
+ */
+class UnSafeHessianInput extends RefType {
+  UnSafeHessianInput() {
+    this.hasQualifiedName("com.caucho.hessian.io", ["HessianInput", "Hessian2Input"])
+  }
+}
+
+/**
+ * A HessianInput readObject method. This is either `HessianInput.readObject` or `Hessian2Input.readObject`.
+ */
+class UnSafeHessianInputReadObjectMethod extends Method {
+  UnSafeHessianInputReadObjectMethod() {
+    this.getDeclaringType() instanceof UnSafeHessianInput and
+    this.getName() = "readObject"
+  }
+}
+
+/**
+ * The class `com.caucho.burlap.io.BurlapInput`.
+ */
+class BurlapInput extends RefType {
+  BurlapInput() { this.hasQualifiedName("com.caucho.burlap.io", "BurlapInput") }
+}
+
+/** A method with the name `readObject` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputReadObjectMethod extends Method {
+  BurlapInputReadObjectMethod() {
+    this.getDeclaringType() instanceof BurlapInput and
+    this.getName() = "readObject"
+  }
+}
+
+/** A method with the name `init` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputInitMethod extends Method {
+  BurlapInputInitMethod() {
+    this.getDeclaringType() instanceof BurlapInput and
+    this.getName() = "init"
+  }
+}

java/ql/src/semmle/code/java/frameworks/JYaml.qll

@@ -0,0 +1,41 @@
+/**
+ * Provides classes and predicates for working with the JYaml framework.
+ */
+
+import java
+
+/**
+ * The class `org.ho.yaml.Yaml`.
+ */
+class JYaml extends RefType {
+  JYaml() { this.hasQualifiedName("org.ho.yaml", "Yaml") }
+}
+
+/**
+ * A JYaml unsafe load method. This is either `YAML.load` or
+ * `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
+ */
+class JYamlUnSafeLoadMethod extends Method {
+  JYamlUnSafeLoadMethod() {
+    this.getDeclaringType() instanceof JYaml and
+    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
+  }
+}
+
+/**
+ * The class `org.ho.yaml.YamlConfig`.
+ */
+class JYamlConfig extends RefType {
+  JYamlConfig() { this.hasQualifiedName("org.ho.yaml", "YamlConfig") }
+}
+
+/**
+ * A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
+ * `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
+ */
+class JYamlConfigUnSafeLoadMethod extends Method {
+  JYamlConfigUnSafeLoadMethod() {
+    this.getDeclaringType() instanceof JYamlConfig and
+    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
+  }
+}

java/ql/src/semmle/code/java/frameworks/JsonIo.qll

@@ -0,0 +1,41 @@
+/**
+ * Provides classes and predicates for working with the Json-io framework.
+ */
+
+import java
+import semmle.code.java.Maps
+
+/**
+ * The class `com.cedarsoftware.util.io.JsonReader`.
+ */
+class JsonReader extends RefType {
+  JsonReader() { this.hasQualifiedName("com.cedarsoftware.util.io", "JsonReader") }
+}
+
+/** A method with the name `jsonToJava` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoJsonToJavaMethod extends Method {
+  JsonIoJsonToJavaMethod() {
+    this.getDeclaringType() instanceof JsonReader and
+    this.getName() = "jsonToJava"
+  }
+}
+
+/** A method with the name `readObject` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoReadObjectMethod extends Method {
+  JsonIoReadObjectMethod() {
+    this.getDeclaringType() instanceof JsonReader and
+    this.getName() = "readObject"
+  }
+}
+
+/**
+ * A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`. 
+ */
+class JsonIoSafeOptionalArgs extends MethodAccess {
+  JsonIoSafeOptionalArgs() {
+    this.getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType and
+    this.getMethod().hasName("put") and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "USE_MAPS" and
+    this.getArgument(1).(CompileTimeConstantExpr).getBooleanValue() = true
+  }
+}

java/ql/src/semmle/code/java/frameworks/YamlBeans.qll

@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the YamlBeans framework.
+ */
+
+import java
+
+/**
+ * The class `com.esotericsoftware.yamlbeans.YamlReader`.
+ */
+class YamlReader extends RefType {
+  YamlReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
+}
+
+/** A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`. */
+class YamlReaderReadMethod extends Method {
+  YamlReaderReadMethod() {
+    this.getDeclaringType() instanceof YamlReader and
+    this.getName() = "read"
+  }
+}

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll

@@ -2,6 +2,11 @@ import semmle.code.java.frameworks.Kryo
 import semmle.code.java.frameworks.XStream
 import semmle.code.java.frameworks.SnakeYaml
 import semmle.code.java.frameworks.FastJson
+import semmle.code.java.frameworks.JYaml
+import semmle.code.java.frameworks.JsonIo
+import semmle.code.java.frameworks.YamlBeans
+import semmle.code.java.frameworks.Hessian
+import semmle.code.java.frameworks.Castor
 import semmle.code.java.frameworks.apache.Lang
 
 class ObjectInputStreamReadObjectMethod extends Method {
@@ -50,6 +55,29 @@ class SafeKryo extends DataFlow2::Configuration {
   }
 }
 
+class SafeJsonIo extends DataFlow2::Configuration {
+  SafeJsonIo() { this = "UnsafeDeserialization::SafeJsonIo" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma |
+      ma instanceof JsonIoSafeOptionalArgs and
+      src.asExpr() = ma.getQualifier()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      sink.asExpr() = ma.getArgument(1)
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonReader and
+      sink.asExpr() = cie.getArgument(1)
+    )
+  }
+}
+
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
@@ -81,6 +109,27 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     ma.getMethod() instanceof FastJsonParseMethod and
     not fastJsonLooksSafe() and
     sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JYamlUnSafeLoadMethod and
+    sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JYamlConfigUnSafeLoadMethod and
+    sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+    sink = ma.getArgument(0) and
+    not exists(SafeJsonIo sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    or
+    ma.getMethod() instanceof JsonIoReadObjectMethod and
+    sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof YamlReaderReadMethod and sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof UnSafeHessianInputReadObjectMethod and sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof UnmarshalMethod and sink = ma.getAnArgument()
+    or
+    ma.getMethod() instanceof BurlapInputReadObjectMethod and sink = ma.getQualifier()
   )
 }