add change notes

haby0 · haby0 · commit 58d774ae85b7 · 2021-05-17T14:52:05.000+08:00
diff --git a/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `HessianBurlap`, `Castor`, `Burlap` deserialization.
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -14,7 +14,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, Hessian, JsonIO, YAMLBeans, Castor, Burlap, 
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
 and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
diff --git a/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
@@ -5,7 +5,7 @@
 import java
 
 /**
- * The class `com.caucho.hessian.io.AbstractHessianInput` or `com.alibaba.com.caucho.hessian.io.Hessian2StreamingInput`.
+ * The classes `[com.alibaba.]com.caucho.hessian.io.AbstractHessianInput` or `[com.alibaba.]com.caucho.hessian.io.Hessian2StreamingInput`.
  */
 class UnsafeHessianInput extends RefType {
   UnsafeHessianInput() {
diff --git a/java/ql/src/semmle/code/java/frameworks/JYaml.qll b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
@@ -5,37 +5,18 @@
 import java
 
 /**
- * The class `org.ho.yaml.Yaml`.
+ * The class `org.ho.yaml.Yaml` or `org.ho.yaml.YamlConfig`.
  */
-class JYaml extends RefType {
-  JYaml() { this.hasQualifiedName("org.ho.yaml", "Yaml") }
+class JYamlLoader extends RefType {
+  JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }
 }
 
 /**
- * A JYaml unsafe load method. This is either `YAML.load` or
- * `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
+ * A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.
  */
-class JYamlUnsafeLoadMethod extends Method {
-  JYamlUnsafeLoadMethod() {
-    this.getDeclaringType() instanceof JYaml and
-    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
-  }
-}
-
-/**
- * The class `org.ho.yaml.YamlConfig`.
- */
-class JYamlConfig extends RefType {
-  JYamlConfig() { this.hasQualifiedName("org.ho.yaml", "YamlConfig") }
-}
-
-/**
- * A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
- * `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
- */
-class JYamlConfigUnsafeLoadMethod extends Method {
-  JYamlConfigUnsafeLoadMethod() {
-    this.getDeclaringType() instanceof JYamlConfig and
+class JYamlLoaderUnsafeLoadMethod extends Method {
+  JYamlLoaderUnsafeLoadMethod() {
+    this.getDeclaringType() instanceof JYamlLoader and
     this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
   }
 }
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -87,10 +87,7 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     not fastJsonLooksSafe() and
     sink = ma.getArgument(0)
     or
-    ma.getMethod() instanceof JYamlUnsafeLoadMethod and
-    sink = ma.getArgument(0)
-    or
-    ma.getMethod() instanceof JYamlConfigUnsafeLoadMethod and
+    ma.getMethod() instanceof JYamlLoaderUnsafeLoadMethod and
     sink = ma.getArgument(0)
     or
     ma.getMethod() instanceof JsonIoJsonToJavaMethod and

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
	`3`	+ now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `HessianBurlap`, `Castor`, `Burlap` deserialization.