Refactored tests for unsafe deserialization

Author: artem-smotrakov

java/ql/test/query-tests/security/CWE-502/A.java

@@ -12,34 +12,34 @@ public class A {
   public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
     InputStream inputStream = sock.getInputStream();
     ObjectInputStream in = new ObjectInputStream(inputStream);
-    return in.readObject(); // unsafe
+    return in.readObject(); // $unsafeDeserialization
   }
 
   public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
     InputStream inputStream = sock.getInputStream();
     ObjectInputStream in = new ObjectInputStream(inputStream);
-    return in.readUnshared(); // unsafe
+    return in.readUnshared(); // $unsafeDeserialization
   }
 
   public Object deserialize3(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     XMLDecoder d = new XMLDecoder(inputStream);
-    return d.readObject(); // unsafe
+    return d.readObject(); // $unsafeDeserialization
   }
 
   public Object deserialize4(Socket sock) throws java.io.IOException {
     XStream xs = new XStream();
     InputStream inputStream = sock.getInputStream();
     Reader reader = new InputStreamReader(inputStream);
-    return xs.fromXML(reader); // unsafe
+    return xs.fromXML(reader); // $unsafeDeserialization
   }
 
   public void deserialize5(Socket sock) throws java.io.IOException {
     Kryo kryo = new Kryo();
     Input input = new Input(sock.getInputStream());
-    A a1 = kryo.readObject(input, A.class); // unsafe
-    A a2 = kryo.readObjectOrNull(input, A.class); // unsafe
-    Object o = kryo.readClassAndObject(input); // unsafe
+    A a1 = kryo.readObject(input, A.class); // $unsafeDeserialization
+    A a2 = kryo.readObjectOrNull(input, A.class); // $unsafeDeserialization
+    Object o = kryo.readClassAndObject(input); // $unsafeDeserialization
   }
 
   private Kryo getSafeKryo() throws java.io.IOException {
@@ -58,21 +58,21 @@ public void deserialize6(Socket sock) throws java.io.IOException {
   public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml();
     InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); //unsafe
-    Object o2 = yaml.loadAll(input); //unsafe
-    Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
-    A o4 = yaml.loadAs(input, A.class); //unsafe
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
+    Object o = yaml.load(input); // $unsafeDeserialization
+    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
+    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
   }
 
   public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor());
     InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); //unsafe
-    Object o2 = yaml.loadAll(input); //unsafe
-    Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
-    A o4 = yaml.loadAs(input, A.class); //unsafe
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
+    Object o = yaml.load(input); // $unsafeDeserialization
+    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
+    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
   }
 
   public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
@@ -88,10 +88,10 @@ public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
   public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
     Yaml yaml = new Yaml(new Constructor(A.class));
     InputStream input = sock.getInputStream();
-    Object o = yaml.load(input); //unsafe
-    Object o2 = yaml.loadAll(input); //unsafe
-    Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
-    A o4 = yaml.loadAs(input, A.class); //unsafe
-    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
+    Object o = yaml.load(input); // $unsafeDeserialization
+    Object o2 = yaml.loadAll(input); // $unsafeDeserialization
+    Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
+    A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
+    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
   }
 }

java/ql/test/query-tests/security/CWE-502/B.java

@@ -5,29 +5,29 @@
 public class B {
   public Object deserializeJson1(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
-    return JSON.parseObject(inputStream, null); // unsafe
+    return JSON.parseObject(inputStream, null); // $unsafeDeserialization
   }
 
   public Object deserializeJson2(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
-    return JSON.parse(bytes); // unsafe
+    return JSON.parse(bytes); // $unsafeDeserialization
   }
 
   public Object deserializeJson3(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
     String s = new String(bytes);
-    return JSON.parseObject(s); // unsafe
+    return JSON.parseObject(s); // $unsafeDeserialization
   }
 
   public Object deserializeJson4(Socket sock) throws java.io.IOException {
     InputStream inputStream = sock.getInputStream();
     byte[] bytes = new byte[100];
     inputStream.read(bytes);
     String s = new String(bytes);
-    return JSON.parse(s); // unsafe
+    return JSON.parse(s); // $unsafeDeserialization
   }
 }

java/ql/test/query-tests/security/CWE-502/C.java

@@ -21,16 +21,16 @@ public class C {
 	@GetMapping(value = "jyaml")
 	public void bad1(HttpServletRequest request) throws Exception {
 		String data = request.getParameter("data");
-		Yaml.load(data);  //bad
-		Yaml.loadStream(data);  //bad
-		Yaml.loadStreamOfType(data, Object.class);  //bad
-		Yaml.loadType(data, Object.class);  //bad
+		Yaml.load(data);  // $unsafeDeserialization
+		Yaml.loadStream(data);  // $unsafeDeserialization
+		Yaml.loadStreamOfType(data, Object.class);  // $unsafeDeserialization
+		Yaml.loadType(data, Object.class);  // $unsafeDeserialization
 
 		org.ho.yaml.YamlConfig yamlConfig = new YamlConfig();
-		yamlConfig.load(data);  //bad
-		yamlConfig.loadStream(data);  //bad
-		yamlConfig.loadStreamOfType(data, Object.class);  //bad
-		yamlConfig.loadType(data, Object.class);  //bad
+		yamlConfig.load(data);  // $unsafeDeserialization
+		yamlConfig.loadStream(data);  // $unsafeDeserialization
+		yamlConfig.loadStreamOfType(data, Object.class);  // $unsafeDeserialization
+		yamlConfig.loadType(data, Object.class);  // $unsafeDeserialization
 	}
 
 	@GetMapping(value = "jsonio")
@@ -40,55 +40,55 @@ public void bad2(HttpServletRequest request) {
 		HashMap hashMap = new HashMap();
 		hashMap.put("USE_MAPS", true);
 
-		JsonReader.jsonToJava(data); //bad
+		JsonReader.jsonToJava(data); // $unsafeDeserialization
 
-		JsonReader jr = new JsonReader(data, null); //bad
-		jr.readObject();
+		JsonReader jr = new JsonReader(data, null);
+		jr.readObject(); // $unsafeDeserialization
 	}
 
 	@GetMapping(value = "yamlbeans")
 	public void bad3(HttpServletRequest request) throws Exception {
 		String data = request.getParameter("data");
 		YamlReader r = new YamlReader(data);
-		r.read(); //bad
-		r.read(Object.class); //bad
-		r.read(Object.class, Object.class); //bad
+		r.read(); // $unsafeDeserialization
+		r.read(Object.class); // $unsafeDeserialization
+		r.read(Object.class, Object.class); // $unsafeDeserialization
 	}
 
         @GetMapping(value = "hessian")
 	public void bad4(HttpServletRequest request) throws Exception {
 		byte[] bytes = request.getParameter("data").getBytes();
 		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
 		HessianInput hessianInput = new HessianInput(bis);
-		hessianInput.readObject(); //bad
-		hessianInput.readObject(Object.class); //bad
+		hessianInput.readObject(); // $unsafeDeserialization
+		hessianInput.readObject(Object.class); // $unsafeDeserialization
 	}
 
 	@GetMapping(value = "hessian2")
 	public void bad5(HttpServletRequest request) throws Exception {
 		byte[] bytes = request.getParameter("data").getBytes();
 		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
 		Hessian2Input hessianInput = new Hessian2Input(bis);
-		hessianInput.readObject(); //bad
-		hessianInput.readObject(Object.class); //bad
+		hessianInput.readObject(); // $unsafeDeserialization
+		hessianInput.readObject(Object.class); // $unsafeDeserialization
 	}
 
     @GetMapping(value = "castor")
 	public void bad6(HttpServletRequest request) throws Exception {
 		Unmarshaller unmarshaller = new Unmarshaller();
-		unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); //bad
+		unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $unsafeDeserialization
 	}
 
     @GetMapping(value = "burlap")
 	public void bad7(HttpServletRequest request) throws Exception {
 		byte[] serializedData = request.getParameter("data").getBytes();
 		ByteArrayInputStream is = new ByteArrayInputStream(serializedData);
 		BurlapInput burlapInput = new BurlapInput(is);
-		burlapInput.readObject(); //bad
+		burlapInput.readObject(); // $unsafeDeserialization
 
         BurlapInput burlapInput1 = new BurlapInput();
 		burlapInput1.init(is);
-		burlapInput1.readObject(); //bad
+		burlapInput1.readObject(); // $unsafeDeserialization
 	}
 
 	@GetMapping(value = "jsonio1")

java/ql/test/query-tests/security/CWE-502/JacksonTest.java

@@ -72,7 +72,7 @@ class UnsafePersonDeserialization {
     private static void testUnsafeDeserialization() throws Exception {
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(string, Person.class);
+            mapper.readValue(string, Person.class); // $unsafeDeserialization
         });
     }
 
@@ -81,7 +81,7 @@ private static void testUnsafeDeserialization() throws Exception {
     private static void testUnsafeDeserializationWithExtendedClass() throws Exception {
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(string, Employee.class);
+            mapper.readValue(string, Employee.class); // $unsafeDeserialization
         });
     }
 
@@ -90,7 +90,7 @@ private static void testUnsafeDeserializationWithExtendedClass() throws Exceptio
     private static void testUnsafeDeserializationWithWrapper() throws Exception {
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(string, Task.class);
+            mapper.readValue(string, Task.class); // $unsafeDeserialization
         });
     }
 }
@@ -138,7 +138,7 @@ private static void testUnsafeDeserialization() throws Exception {
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
             mapper.enableDefaultTyping();   // this enables polymorphic type handling
-            mapper.readValue(string, Cat.class);
+            mapper.readValue(string, Cat.class); // $unsafeDeserialization
         });
     }
 
@@ -147,7 +147,7 @@ private static void testUnsafeDeserializationWithObjectMapperReadValues() throws
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
             mapper.enableDefaultTyping();
-            mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll();
+            mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll(); // $unsafeDeserialization
         });
     }
 
@@ -156,7 +156,7 @@ private static void testUnsafeDeserializationWithObjectMapperTreeToValue() throw
         JacksonTest.withSocket(string -> {
             ObjectMapper mapper = new ObjectMapper();
             mapper.enableDefaultTyping();
-            mapper.treeToValue(mapper.readTree(string), Cat.class);
+            mapper.treeToValue(mapper.readTree(string), Cat.class); // $unsafeDeserialization
         });
     }
 
@@ -168,7 +168,7 @@ private static void testUnsafeDeserializationWithUnsafeClass() throws Exception
             String type = parts[1];
             Class clazz = Class.forName(type);
             ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(data, clazz);
+            mapper.readValue(data, clazz); // $unsafeDeserialization
         });
     }
 
@@ -179,7 +179,7 @@ private static void testUnsafeDeserializationWithUnsafeClassAndCustomTypeResolve
             String data = parts[0];
             String type = parts[1];
             ObjectMapper mapper = new ObjectMapper();
-            mapper.readValue(data, resolveTypeImpl(type));
+            mapper.readValue(data, resolveTypeImpl(type)); // $unsafeDeserialization
         });
     }
 

java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java

@@ -19,7 +19,7 @@ public boolean isReadable(Class<?> type, Type genericType, Annotation[] annotati
   public Object readFrom(Class<Object> type, Type genericType, Annotation[] annotations, MediaType mediaType,
           MultivaluedMap<String, String> httpHeaders, InputStream entityStream) throws IOException {
       try {
-          return new ObjectInputStream(entityStream).readObject();
+          return new ObjectInputStream(entityStream).readObject(); // $unsafeDeserialization
       } catch (ClassNotFoundException e) {
           e.printStackTrace();
       }