Added SpringHttpInvokerUnsafeDeserialization.qhelp and example

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp

@@ -0,0 +1,69 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
+for defining remote service exporters.
+A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
+Deserializing untrusted data is easily exploitable and in many cases allows an attacker
+to execute arbitrary code.
+</p>
+<p>
+Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
+<li>
+<code>HttpInvokerServiceExporter</code>
+</li>
+<li>
+<code>SimpleHttpInvokerServiceExporter</code>
+</li>
+</p>
+<p>
+These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
+using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
+it results in remote code execution.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
+and other exporters that are based on <code>RemoteInvocationSerializingExporter</code>.
+Instead, use other message formats for API endpoints (for example, JSON),
+but make sure that the underlying deserialization mechanism is properly configured
+so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
+consider using global deserialization filters introduced by JEP 290.
+In general, avoid deserialization of untrusted data.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example defines a vulnerable HTTP endpoint:
+</p>
+<sample src="UnsafeHttpInvokerEndpoint.java" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
+</li>
+<li>
+National Vulnerability Database:
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
+</li>
+<li>
+Tenable Research Advisory:
+<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
+</li>
+<li>
+Spring Framework bug tracker:
+<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>  
+</li>
+<li>
+OpenJDK:
+<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeHttpInvokerEndpoint.java

@@ -0,0 +1,24 @@
+@Configuration
+public class Server {
+
+    @Bean(name = "/account")
+    HttpInvokerServiceExporter accountService() {
+        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+
+}
+
+class AccountServiceImpl implements AccountService {
+
+    @Override
+    public String echo(String data) {
+        return data;
+    }
+}
+
+interface AccountService {
+    String echo(String data);
+}