Modify ql

Author: haby0

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

@@ -24,34 +24,34 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
 
   override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
     exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof JsonReader and
       cie.getArgument(0) = prod.asExpr() and
       cie = succ.asExpr() and
-      not exists(SafeJsonIo sji | sji.hasFlowToExpr(cie.getArgument(1)))
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
     )
     or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof YamlReader and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
-    )
-    or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof UnSafeHessianInput and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = prod.asExpr() and
+      ma.getQualifier() = succ.asExpr()
     )
-    or
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
     exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof BurlapInput and
-      cie.getArgument(0) = prod.asExpr() and
-      cie = succ.asExpr()
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
     )
     or
     exists(MethodAccess ma |
-      ma.getMethod() instanceof BurlapInputInitMethod and
-      ma.getArgument(0) = prod.asExpr() and
-      ma.getQualifier() = succ.asExpr()
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
     )
   }
 }

java/ql/src/semmle/code/java/frameworks/Castor.qll

@@ -7,14 +7,14 @@ import java
 /**
  * The class `org.exolab.castor.xml.Unmarshaller`.
  */
-class Unmarshaller extends RefType {
-  Unmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
+class CastorUnmarshaller extends RefType {
+  CastorUnmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
 }
 
 /** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
 class UnmarshalMethod extends Method {
   UnmarshalMethod() {
-    this.getDeclaringType() instanceof Unmarshaller and
+    this.getDeclaringType() instanceof CastorUnmarshaller and
     this.getName() = "unmarshal"
   }
 }

java/ql/src/semmle/code/java/frameworks/Hessian.qll renamed to java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll

@@ -1,24 +1,26 @@
 /**
- * Provides classes and predicates for working with the Hession framework.
+ * Provides classes and predicates for working with the HessianBurlap framework.
  */
 
 import java
 
 /**
- * The class `com.caucho.hessian.io.HessianInput` or `com.caucho.hessian.io.Hessian2Input`.
+ * The class `com.caucho.hessian.io.AbstractHessianInput` or `com.alibaba.com.caucho.hessian.io.Hessian2StreamingInput`.
  */
-class UnSafeHessianInput extends RefType {
-  UnSafeHessianInput() {
-    this.hasQualifiedName("com.caucho.hessian.io", ["HessianInput", "Hessian2Input"])
+class UnsafeHessianInput extends RefType {
+  UnsafeHessianInput() {
+    this.hasQualifiedName(["com.caucho.hessian.io", "com.alibaba.com.caucho.hessian.io"],
+      ["AbstractHessianInput", "Hessian2StreamingInput"])
   }
 }
 
 /**
- * A HessianInput readObject method. This is either `HessianInput.readObject` or `Hessian2Input.readObject`.
+ * A AbstractHessianInput or Hessian2StreamingInput subclass readObject method.
+ * This is either `AbstractHessianInput.readObject` or `Hessian2StreamingInput.readObject`.
  */
-class UnSafeHessianInputReadObjectMethod extends Method {
-  UnSafeHessianInputReadObjectMethod() {
-    this.getDeclaringType() instanceof UnSafeHessianInput and
+class UnsafeHessianInputReadObjectMethod extends Method {
+  UnsafeHessianInputReadObjectMethod() {
+    this.getDeclaringType().getASupertype*() instanceof UnsafeHessianInput and
     this.getName() = "readObject"
   }
 }

java/ql/src/semmle/code/java/frameworks/JYaml.qll

@@ -15,8 +15,8 @@ class JYaml extends RefType {
  * A JYaml unsafe load method. This is either `YAML.load` or
  * `YAML.loadType` or `YAML.loadStream` or `YAML.loadStreamOfType`.
  */
-class JYamlUnSafeLoadMethod extends Method {
-  JYamlUnSafeLoadMethod() {
+class JYamlUnsafeLoadMethod extends Method {
+  JYamlUnsafeLoadMethod() {
     this.getDeclaringType() instanceof JYaml and
     this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
   }
@@ -33,8 +33,8 @@ class JYamlConfig extends RefType {
  * A JYamlConfig unsafe load method. This is either `YamlConfig.load` or
  * `YAML.loadType` or `YamlConfig.loadStream` or `YamlConfig.loadStreamOfType`.
  */
-class JYamlConfigUnSafeLoadMethod extends Method {
-  JYamlConfigUnSafeLoadMethod() {
+class JYamlConfigUnsafeLoadMethod extends Method {
+  JYamlConfigUnsafeLoadMethod() {
     this.getDeclaringType() instanceof JYamlConfig and
     this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
   }

java/ql/src/semmle/code/java/frameworks/JsonIo.qll

@@ -4,32 +4,34 @@
 
 import java
 import semmle.code.java.Maps
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow2
 
 /**
  * The class `com.cedarsoftware.util.io.JsonReader`.
  */
-class JsonReader extends RefType {
-  JsonReader() { this.hasQualifiedName("com.cedarsoftware.util.io", "JsonReader") }
+class JsonIoJsonReader extends RefType {
+  JsonIoJsonReader() { this.hasQualifiedName("com.cedarsoftware.util.io", "JsonReader") }
 }
 
 /** A method with the name `jsonToJava` declared in `com.cedarsoftware.util.io.JsonReader`. */
 class JsonIoJsonToJavaMethod extends Method {
   JsonIoJsonToJavaMethod() {
-    this.getDeclaringType() instanceof JsonReader and
+    this.getDeclaringType() instanceof JsonIoJsonReader and
     this.getName() = "jsonToJava"
   }
 }
 
 /** A method with the name `readObject` declared in `com.cedarsoftware.util.io.JsonReader`. */
 class JsonIoReadObjectMethod extends Method {
   JsonIoReadObjectMethod() {
-    this.getDeclaringType() instanceof JsonReader and
+    this.getDeclaringType() instanceof JsonIoJsonReader and
     this.getName() = "readObject"
   }
 }
 
 /**
- * A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`. 
+ * A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
  */
 class JsonIoSafeOptionalArgs extends MethodAccess {
   JsonIoSafeOptionalArgs() {
@@ -39,3 +41,27 @@ class JsonIoSafeOptionalArgs extends MethodAccess {
     this.getArgument(1).(CompileTimeConstantExpr).getBooleanValue() = true
   }
 }
+
+/** A data flow configuration tracing flow from JsonIo safe settings. */
+class SafeJsonIoConfig extends DataFlow2::Configuration {
+  SafeJsonIoConfig() { this = "UnsafeDeserialization::SafeJsonIoConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma |
+      ma instanceof JsonIoSafeOptionalArgs and
+      src.asExpr() = ma.getQualifier()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      sink.asExpr() = ma.getArgument(1)
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      sink.asExpr() = cie.getArgument(1)
+    )
+  }
+}

java/ql/src/semmle/code/java/frameworks/YamlBeans.qll

@@ -7,14 +7,14 @@ import java
 /**
  * The class `com.esotericsoftware.yamlbeans.YamlReader`.
  */
-class YamlReader extends RefType {
-  YamlReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
+class YamlBeansReader extends RefType {
+  YamlBeansReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
 }
 
 /** A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`. */
-class YamlReaderReadMethod extends Method {
-  YamlReaderReadMethod() {
-    this.getDeclaringType() instanceof YamlReader and
+class YamlBeansReaderReadMethod extends Method {
+  YamlBeansReaderReadMethod() {
+    this.getDeclaringType() instanceof YamlBeansReader and
     this.getName() = "read"
   }
 }

java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll

@@ -5,7 +5,7 @@ import semmle.code.java.frameworks.FastJson
 import semmle.code.java.frameworks.JYaml
 import semmle.code.java.frameworks.JsonIo
 import semmle.code.java.frameworks.YamlBeans
-import semmle.code.java.frameworks.Hessian
+import semmle.code.java.frameworks.HessianBurlap
 import semmle.code.java.frameworks.Castor
 import semmle.code.java.frameworks.apache.Lang
 
@@ -55,29 +55,6 @@ class SafeKryo extends DataFlow2::Configuration {
   }
 }
 
-class SafeJsonIo extends DataFlow2::Configuration {
-  SafeJsonIo() { this = "UnsafeDeserialization::SafeJsonIo" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma |
-      ma instanceof JsonIoSafeOptionalArgs and
-      src.asExpr() = ma.getQualifier()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
-      sink.asExpr() = ma.getArgument(1)
-    )
-    or
-    exists(ClassInstanceExpr cie |
-      cie.getConstructor().getDeclaringType() instanceof JsonReader and
-      sink.asExpr() = cie.getArgument(1)
-    )
-  }
-}
-
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
@@ -110,22 +87,21 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     not fastJsonLooksSafe() and
     sink = ma.getArgument(0)
     or
-    ma.getMethod() instanceof JYamlUnSafeLoadMethod and
+    ma.getMethod() instanceof JYamlUnsafeLoadMethod and
     sink = ma.getArgument(0)
     or
-    ma.getMethod() instanceof JYamlConfigUnSafeLoadMethod and
+    ma.getMethod() instanceof JYamlConfigUnsafeLoadMethod and
     sink = ma.getArgument(0)
     or
     ma.getMethod() instanceof JsonIoJsonToJavaMethod and
-    sink = ma.getArgument(0) and
-    not exists(SafeJsonIo sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    sink = ma.getArgument(0)
     or
     ma.getMethod() instanceof JsonIoReadObjectMethod and
     sink = ma.getQualifier()
     or
-    ma.getMethod() instanceof YamlReaderReadMethod and sink = ma.getQualifier()
+    ma.getMethod() instanceof YamlBeansReaderReadMethod and sink = ma.getQualifier()
     or
-    ma.getMethod() instanceof UnSafeHessianInputReadObjectMethod and sink = ma.getQualifier()
+    ma.getMethod() instanceof UnsafeHessianInputReadObjectMethod and sink = ma.getQualifier()
     or
     ma.getMethod() instanceof UnmarshalMethod and sink = ma.getAnArgument()
     or

java/ql/test/query-tests/security/CWE-502/C.java

@@ -42,13 +42,8 @@ public void bad2(HttpServletRequest request) {
 
 		JsonReader.jsonToJava(data); //bad
 
-		JsonReader.jsonToJava(data, hashMap); //good
-
 		JsonReader jr = new JsonReader(data, null); //bad
 		jr.readObject();
-
-		JsonReader jr1 = new JsonReader(data, hashMap); //good
-		jr1.readObject();
 	}
 
 	@GetMapping(value = "yamlbeans")
@@ -95,4 +90,25 @@ public void bad7(HttpServletRequest request) throws Exception {
 		burlapInput1.init(is);
 		burlapInput1.readObject(); //bad
 	}
+
+	@GetMapping(value = "jsonio1")
+	public void good1(HttpServletRequest request) {
+		String data = request.getParameter("data");
+
+		HashMap hashMap = new HashMap();
+		hashMap.put("USE_MAPS", true);
+
+		JsonReader.jsonToJava(data, hashMap); //good
+	}
+
+	@GetMapping(value = "jsonio2")
+	public void good2(HttpServletRequest request) {
+		String data = request.getParameter("data");
+
+		HashMap hashMap = new HashMap();
+		hashMap.put("USE_MAPS", true);
+
+		JsonReader jr1 = new JsonReader(data, hashMap); //good
+		jr1.readObject();
+	}
 }