Merge pull request github#5814 from JLLeitschuh/feat/JLL/jackson_as_taint_step

[Java] Add taint tracking through Jackson deserialization

Author: aschackmull

java/change-notes/2021-05-03-jackson-dataflow-deserialization.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increase coverage of dataflow through Jackson JSON deserialized objects.

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -77,6 +77,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection

java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

@@ -9,6 +9,7 @@ import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
 import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
@@ -28,7 +29,7 @@ abstract class JacksonSerializableType extends Type { }
  * A method used for serializing objects using Jackson. The final parameter is the object to be
  * serialized.
  */
-library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
+private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   JacksonWriteValueMethod() {
     (
       getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or
@@ -50,8 +51,20 @@ library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   }
 }
 
+private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
+  JacksonReadValueMethod() {
+    (
+      getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") or
+      getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper")
+    ) and
+    hasName(["readValue", "readValues"])
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}
+
 /** A type whose values are explicitly serialized in a call to a Jackson method. */
-library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
+private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
   ExplicitlyWrittenJacksonSerializableType() {
     exists(MethodAccess ma |
       // A call to a Jackson write method...
@@ -63,7 +76,7 @@ library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab
 }
 
 /** A type used in a `JacksonSerializableField` declaration. */
-library class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
+private class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
   FieldReferencedJacksonSerializableType() {
     exists(JacksonSerializableField f | usesType(f.getType(), this))
   }
@@ -96,17 +109,24 @@ private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::C
 }
 
 /** A type whose values are explicitly deserialized in a call to a Jackson method. */
-library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
+private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
   ExplicitlyReadJacksonDeserializableType() {
     exists(TypeLiteralToJacksonDatabindFlowConfiguration conf |
       usesType(conf.getSourceWithFlowToJacksonDatabind().getTypeName().getType(), this)
     )
+    or
+    exists(MethodAccess ma |
+      // A call to a Jackson read method...
+      ma.getMethod() instanceof JacksonReadValueMethod and
+      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
+      usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
+    )
   }
 }
 
 /** A type used in a `JacksonDeserializableField` declaration. */
-library class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
-  FieldReferencedJacksonDeSerializableType() {
+private class FieldReferencedJacksonDeserializableType extends JacksonDeserializableType {
+  FieldReferencedJacksonDeserializableType() {
     exists(JacksonDeserializableField f | usesType(f.getType(), this))
   }
 }
@@ -135,6 +155,21 @@ class JacksonDeserializableField extends DeserializableField {
   }
 }
 
+/** A call to a field that may be deserialized using the Jackson JSON framework. */
+private class JacksonDeserializableFieldAccess extends FieldAccess {
+  JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }
+}
+
+/**
+ * When an object is deserialized by the Jackson JSON framework using a tainted input source,
+ * the fields that the framework deserialized are themselves tainted input data.
+ */
+private class JacksonDeserializedTaintStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    DataFlow::getFieldQualifier(node2.asExpr().(JacksonDeserializableFieldAccess)) = node1
+  }
+}
+
 /**
  * A call to the `addMixInAnnotations` or `addMixIn` Jackson method.
  *
@@ -239,3 +274,13 @@ class JacksonMixedInCallable extends Callable {
     )
   }
 }
+
+private class JacksonModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}

java/ql/test/library-tests/dataflow/taint-jackson/Test.java

@@ -3,50 +3,110 @@
 import java.io.OutputStream;
 import java.io.StringWriter;
 import java.io.Writer;
+import java.util.Iterator;
+import java.util.HashMap;
+import java.util.Map;
 
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.ObjectReader;
 
 class Test {
+	public static class Potato {
+		private String name;
+
+		private String getName() {
+			return name;
+		}
+	}
+
 	public static String taint() {
 		return "tainted";
 	}
 
+	public static void sink(Object any) {}
+
 	public static void jacksonObjectMapper() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
 		String s = taint();
 		ObjectMapper om = new ObjectMapper();
 		File file = new File("testFile");
 		om.writeValue(file, s);
+		sink(file); //$hasTaintFlow
 		OutputStream out = new FileOutputStream(file);
 		om.writeValue(out, s);
+		sink(file); //$hasTaintFlow
 		Writer writer = new StringWriter();
 		om.writeValue(writer, s);
+		sink(writer); //$hasTaintFlow
 		JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
 		om.writeValue(generator, s);
+		sink(generator); //$hasTaintFlow
 		String t = om.writeValueAsString(s);
-		System.out.println(t);
+		sink(t); //$hasTaintFlow
 		byte[] bs = om.writeValueAsBytes(s);
 		String reconstructed = new String(bs, "utf-8");
-		System.out.println(reconstructed);
+		sink(bs); //$hasTaintFlow
+		sink(reconstructed); //$hasTaintFlow
 	}
 
 	public static void jacksonObjectWriter() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
 		String s = taint();
 		ObjectWriter ow = new ObjectWriter();
 		File file = new File("testFile");
 		ow.writeValue(file, s);
+		sink(file); //$hasTaintFlow
 		OutputStream out = new FileOutputStream(file);
 		ow.writeValue(out, s);
+		sink(out); //$hasTaintFlow
 		Writer writer = new StringWriter();
 		ow.writeValue(writer, s);
+		sink(writer); //$hasTaintFlow
 		JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
 		ow.writeValue(generator, s);
+		sink(generator); //$hasTaintFlow
 		String t = ow.writeValueAsString(s);
-		System.out.println(t);
+		sink(t); //$hasTaintFlow
 		byte[] bs = ow.writeValueAsBytes(s);
 		String reconstructed = new String(bs, "utf-8");
-		System.out.println(reconstructed);
+		sink(bs); //$hasTaintFlow
+		sink(reconstructed); //$hasTaintFlow
+	}
+
+	public static void jacksonObjectReader() throws java.io.IOException {
+		String s = taint();
+		ObjectMapper om = new ObjectMapper();
+		ObjectReader reader = om.readerFor(Potato.class);
+		sink(reader.readValue(s));  //$hasTaintFlow
+		sink(reader.readValue(s, Potato.class).name);  //$hasTaintFlow
+		sink(reader.readValue(s, Potato.class).getName());  //$hasTaintFlow
+	}
+
+	public static void jacksonObjectReaderIterable() throws java.io.IOException {
+		String s = taint();
+		ObjectMapper om = new ObjectMapper();
+		ObjectReader reader = om.readerFor(Potato.class);
+		sink(reader.readValues(s));  //$hasTaintFlow
+		Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
+		while(pIterator.hasNext()) {
+			Potato p = pIterator.next();
+			sink(p); //$hasTaintFlow
+			sink(p.name); //$hasTaintFlow
+			sink(p.getName()); //$hasTaintFlow
+		}
+	}
+
+	public static void jacksonTwoStepDeserialization() throws java.io.IOException {
+		String s = taint();
+		Map<String, Object> taintedParams = new HashMap<>();
+		taintedParams.put("name", s);
+		ObjectMapper om = new ObjectMapper();
+		JsonNode jn = om.valueToTree(taintedParams);
+		sink(jn); //$hasTaintFlow
+		Potato p = om.convertValue(jn, Potato.class);
+		sink(p); //$hasTaintFlow
+		sink(p.getName()); //$hasTaintFlow
 	}
 }

java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.expected

@@ -1,48 +0,0 @@
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:10:43:10:54 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:13:73:13:84 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:16:44:16:55 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:19:36:19:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:22:35:22:46 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:26:36:26:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:10:43:10:54 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:13:73:13:84 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:16:44:16:55 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:19:36:19:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:22:35:22:46 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:26:36:26:47 | value |
-| Test.java:18:14:18:20 | taint(...) |
-| Test.java:21:17:21:20 | file [post update] |
-| Test.java:21:23:21:23 | s |
-| Test.java:22:43:22:46 | file |
-| Test.java:23:17:23:19 | out [post update] |
-| Test.java:23:22:23:22 | s |
-| Test.java:25:17:25:22 | writer [post update] |
-| Test.java:25:25:25:25 | s |
-| Test.java:27:17:27:25 | generator [post update] |
-| Test.java:27:28:27:28 | s |
-| Test.java:28:14:28:37 | writeValueAsString(...) |
-| Test.java:28:36:28:36 | s |
-| Test.java:29:22:29:22 | t |
-| Test.java:30:15:30:37 | writeValueAsBytes(...) |
-| Test.java:30:36:30:36 | s |
-| Test.java:31:26:31:48 | new String(...) |
-| Test.java:31:37:31:38 | bs |
-| Test.java:32:22:32:34 | reconstructed |
-| Test.java:36:14:36:20 | taint(...) |
-| Test.java:39:17:39:20 | file [post update] |
-| Test.java:39:23:39:23 | s |
-| Test.java:40:43:40:46 | file |
-| Test.java:41:17:41:19 | out [post update] |
-| Test.java:41:22:41:22 | s |
-| Test.java:43:17:43:22 | writer [post update] |
-| Test.java:43:25:43:25 | s |
-| Test.java:45:17:45:25 | generator [post update] |
-| Test.java:45:28:45:28 | s |
-| Test.java:46:14:46:37 | writeValueAsString(...) |
-| Test.java:46:36:46:36 | s |
-| Test.java:47:22:47:22 | t |
-| Test.java:48:15:48:37 | writeValueAsBytes(...) |
-| Test.java:48:36:48:36 | s |
-| Test.java:49:26:49:48 | new String(...) |
-| Test.java:49:37:49:38 | bs |
-| Test.java:50:22:50:34 | reconstructed |

java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql

@@ -1,17 +1,34 @@
+import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
 
 class Conf extends TaintTracking::Configuration {
   Conf() { this = "qltest:dataflow:jackson" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(MethodAccess).getMethod().hasName("taint")
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
   }
 
-  override predicate isSink(DataFlow::Node sink) { any() }
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
 }
 
-from DataFlow::Node source, DataFlow::Node sink, Conf config
-where config.hasFlow(source, sink)
-select sink
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java

@@ -1,6 +1,8 @@
 package com.fasterxml.jackson.databind;
 
-public class JsonNode {
+import java.util.*;
+
+public abstract class JsonNode implements Iterable<JsonNode> {
     public JsonNode() {
     }
-}
+}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java

@@ -0,0 +1,28 @@
+package com.fasterxml.jackson.databind;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.util.*;
+
+public class MappingIterator<T> implements Iterator<T>, Closeable {
+
+    @Override
+    public boolean hasNext() {
+        return false;
+    }
+
+    @Override
+    public T next() {
+        return null;
+    }
+
+    @Override
+    public void remove() {
+        
+    }
+
+    @Override
+    public void close() throws IOException {
+        
+    }
+}

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java

@@ -26,4 +26,16 @@ public byte[] writeValueAsBytes(Object value) {
   public String writeValueAsString(Object value) {
     return null;
   }
+
+  public ObjectReader readerFor(Class<?> type) {
+    return null;
+  }
+
+  public <T extends JsonNode> T valueToTree(Object fromValue) throws IllegalArgumentException {
+    return null;
+  }
+
+  public <T> T convertValue(Object fromValue, Class<T> toValueType) throws IllegalArgumentException {
+    return null;
+  }
 }