Add unsafe-deserialization support for Jabsorb

This is partly extracted from github#5954

Author: smowton

java/change-notes/2021-08-04-jabsorb-unsafe-deserialization.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query now recognizes deserialization using the `Jabsorb` library.

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -15,7 +15,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+Jackson, Jabsorb and Java IO serialization through
+<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -100,6 +101,10 @@ Blog posts by the developer of Jackson libraries:
 <a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
 <a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
 </li>
+<li>
+Jabsorb documentation on deserialization:
+<a href="https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/">Jabsorb JSON Serializer</a>.
+</li>
 </references>
 
 </qhelp>

java/ql/src/semmle/code/java/frameworks/Jabsorb.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides classes for working with the Jabsorb JSON-RPC ORB framework.
+ */
+
+import java
+
+/** The class `org.jabsorb.JSONSerializer`. */
+class JabsorbSerializer extends RefType {
+  JabsorbSerializer() { this.hasQualifiedName("org.jabsorb", "JSONSerializer") }
+}
+
+/** The deserialization method `unmarshall`. */
+class JabsorbUnmarshallMethod extends Method {
+  JabsorbUnmarshallMethod() {
+    this.getDeclaringType().getASupertype*() instanceof JabsorbSerializer and
+    this.getName() = "unmarshall"
+  }
+}
+
+/** The deserialization method `fromJSON`. */
+class JabsorbFromJsonMethod extends Method {
+  JabsorbFromJsonMethod() {
+    this.getDeclaringType().getASupertype*() instanceof JabsorbSerializer and
+    this.getName() = "fromJSON"
+  }
+}

java/ql/src/semmle/code/java/frameworks/Jackson.qll

@@ -77,14 +77,6 @@ class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
   }
 }
 
-/** Holds if `fromNode` to `toNode` is a dataflow step that resolves a class. */
-predicate resolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-  exists(ReflectiveClassIdentifierMethodAccess ma |
-    ma.getArgument(0) = fromNode.asExpr() and
-    ma = toNode.asExpr()
-  )
-}
-
 /**
  * Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson parser.
  *
@@ -153,22 +145,3 @@ predicate hasArgumentWithUnsafeJacksonAnnotation(MethodAccess call) {
     hasJsonTypeInfoAnnotation(argType.(ParameterizedType).getATypeArgument())
   )
 }
-
-/**
- * Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
- * A method probably resolves a class if it takes a string, returns a type descriptor,
- * and its name contains "resolve", "load", etc.
- *
- * Any method call that satisfies the rule above is assumed to propagate taint from its string arguments,
- * so methods that accept user-controlled data but sanitize it or use it for some
- * completely different purpose before returning a type descriptor could result in false positives.
- */
-predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-  exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() |
-    m.getReturnType() instanceof JacksonTypeDescriptorType and
-    m.getName().toLowerCase().regexpMatch("(.*)(resolve|load|class|type)(.*)") and
-    arg.getType() instanceof TypeString and
-    arg = fromNode.asExpr() and
-    ma = toNode.asExpr()
-  )
-}

java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -14,6 +14,7 @@ private import semmle.code.java.frameworks.YamlBeans
 private import semmle.code.java.frameworks.HessianBurlap
 private import semmle.code.java.frameworks.Castor
 private import semmle.code.java.frameworks.Jackson
+private import semmle.code.java.frameworks.Jabsorb
 private import semmle.code.java.frameworks.apache.Lang
 private import semmle.code.java.Reflection
 
@@ -184,6 +185,13 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
       hasArgumentWithUnsafeJacksonAnnotation(ma)
     ) and
     not exists(SafeObjectMapperConfig config | config.hasFlowToExpr(ma.getQualifier()))
+    or
+    m instanceof JabsorbUnmarshallMethod and
+    sink = ma.getArgument(2) and
+    any(UnsafeTypeConfig config).hasFlowToExpr(ma.getArgument(1))
+    or
+    m instanceof JabsorbFromJsonMethod and
+    sink = ma.getArgument(0)
   )
 }
 
@@ -243,9 +251,36 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
   }
 }
 
+/** Holds if `fromNode` to `toNode` is a dataflow step that resolves a class. */
+predicate resolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(ReflectiveClassIdentifierMethodAccess ma |
+    ma.getArgument(0) = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
+ * A method probably resolves a class if it takes a string, returns a type descriptor,
+ * and its name contains "resolve", "load", etc.
+ *
+ * Any method call that satisfies the rule above is assumed to propagate taint from its string arguments,
+ * so methods that accept user-controlled data but sanitize it or use it for some
+ * completely different purpose before returning a type descriptor could result in false positives.
+ */
+predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() |
+    m.getReturnType() instanceof JacksonTypeDescriptorType and
+    m.getName().toLowerCase().regexpMatch("(?i).*(resolve|load|class|type).*") and
+    arg.getType() instanceof TypeString and
+    arg = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
+
 /**
  * Tracks flow from a remote source to a type descriptor (e.g. a `java.lang.Class` instance)
- * passed to a Jackson deserialization method.
+ * passed to a deserialization method.
  *
  * If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
  */
@@ -256,7 +291,12 @@ class UnsafeTypeConfig extends TaintTracking2::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma, int i, Expr arg | i > 0 and ma.getArgument(i) = arg |
-      ma.getMethod() instanceof ObjectMapperReadMethod and
+      (
+        ma.getMethod() instanceof ObjectMapperReadMethod
+        or
+        ma.getMethod() instanceof JabsorbUnmarshallMethod
+      ) and
+      // Note `JacksonTypeDescriptorType` includes plain old `java.lang.Class`
       arg.getType() instanceof JacksonTypeDescriptorType and
       arg = sink.asExpr()
     )

java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java

@@ -0,0 +1,121 @@
+import java.io.IOException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.json.JSONObject;
+import org.jabsorb.JSONSerializer;
+import org.jabsorb.serializer.SerializerState;
+import org.jabsorb.serializer.ObjectMatch;
+
+import com.example.User;
+import com.thirdparty.Person;
+
+public class JabsorbServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    // GOOD: final class type specified
+    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        String clazz = req.getParameter("class");
+
+        try {
+            Object jsonObject = new JSONObject(json);
+
+            JSONSerializer serializer = new JSONSerializer();
+            serializer.registerDefaultSerializers();
+
+            serializer.setMarshallClassHints(true);
+            serializer.setMarshallNullAttributes(true);
+
+            SerializerState state = new SerializerState();
+            User user = (User) serializer.unmarshall(state, User.class, jsonObject);
+        } catch (Exception e) {
+            throw new IOException(e.getMessage());
+        }
+    }
+
+    // GOOD: concrete class type specified even if it has vulnerable subclasses
+    public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        String clazz = req.getParameter("class");
+
+        try {
+            Object jsonObject = new JSONObject(json);
+
+            JSONSerializer serializer = new JSONSerializer();
+            serializer.registerDefaultSerializers();
+
+            serializer.setMarshallClassHints(true);
+            serializer.setMarshallNullAttributes(true);
+
+            SerializerState state = new SerializerState();
+            Person person = (Person) serializer.unmarshall(state, Person.class, jsonObject);
+        } catch (Exception e) {
+            throw new IOException(e.getMessage());
+        }
+    }
+
+    @Override
+    // GOOD: try unmarshall but doesn't actually marshall the object
+    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        String clazz = req.getParameter("class");
+
+        try {
+            Object jsonObject = new JSONObject(json);
+
+            JSONSerializer serializer = new JSONSerializer();
+            serializer.registerDefaultSerializers();
+
+            serializer.setMarshallClassHints(true);
+            serializer.setMarshallNullAttributes(true);
+
+            SerializerState state = new SerializerState();
+            ObjectMatch objMatch = serializer.tryUnmarshall(state, Class.forName(clazz), jsonObject);
+            User obj = new User();
+            boolean result = objMatch.equals(obj);
+        } catch (Exception e) {
+            throw new IOException(e.getMessage());
+        }
+    }
+
+    @Override
+    // BAD: allow class name to be controlled by remote source
+    public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+        String clazz = req.getParameter("class");
+
+        try {
+            Object jsonObject = new JSONObject(json);
+
+            JSONSerializer serializer = new JSONSerializer();
+            serializer.registerDefaultSerializers();
+
+            serializer.setMarshallClassHints(true);
+            serializer.setMarshallNullAttributes(true);
+
+            SerializerState state = new SerializerState();
+            User user = (User) serializer.unmarshall(state, Class.forName(clazz), jsonObject); // $unsafeDeserialization
+        } catch (Exception e) {
+            throw new IOException(e.getMessage());
+        }
+    }
+
+    // BAD: allow explicit class type controlled by remote source in the format of "json={\"javaClass\":\"com.thirdparty.Attacker\", ...}"
+    public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        String json = req.getParameter("json");
+
+        try {
+            JSONSerializer serializer = new JSONSerializer();
+            serializer.registerDefaultSerializers();
+
+            User user = (User) serializer.fromJSON(json); // $unsafeDeserialization
+        } catch (Exception e) {
+            throw new IOException(e.getMessage());
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-502/Person.java

@@ -0,0 +1,29 @@
+package com.thirdparty;
+
+public class Person {
+    private int snum;
+    private String name;
+
+    public Person() {
+    }
+
+    public int getSnum() {
+        return snum;
+    }
+
+    public void setSnum(int snum) {
+        this.snum = snum;
+    }
+       
+    public String getName() {
+        return name;
+    }
+       
+    public void setName(String name) {
+        this.name = name; 
+    }
+
+    public String toString() {
+          return "Person[ name = "+name+", snum: "+snum+ "]"; 
+    } 
+}

java/ql/test/query-tests/security/CWE-502/User.java

@@ -0,0 +1,29 @@
+package com.example;
+
+public final class User {
+    private String uid;
+    private String name;
+
+    public User() {
+    }
+
+    public String getUid() {
+        return uid;
+    }
+
+    public void setUid(String uid) {
+        this.uid = uid;
+    }
+       
+    public String getName() {
+        return name;
+    }
+       
+    public void setName(String name) {
+        this.name = name; 
+    }
+
+    public String toString() {
+          return "User[ name = "+name+", uid: "+uid+ "]"; 
+    } 
+}

java/ql/test/query-tests/security/CWE-502/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/jabsorb-1.3.2:${testdir}/../../../stubs/json-java-20210307