[Java] Jackson add support for 2 step deserialization taint flow

Author: JLLeitschuh

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -77,6 +77,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection

java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

@@ -9,6 +9,7 @@ import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
 import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
@@ -275,3 +276,13 @@ class JacksonMixedInCallable extends Callable {
     )
   }
 }
+
+private class JacksonModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}

java/ql/test/library-tests/dataflow/taint-jackson/Test.java

@@ -4,9 +4,12 @@
 import java.io.StringWriter;
 import java.io.Writer;
 import java.util.Iterator;
+import java.util.HashMap;
+import java.util.Map;
 
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
 import com.fasterxml.jackson.databind.ObjectReader;
@@ -94,4 +97,16 @@ public static void jacksonObjectReaderIterable() throws java.io.IOException {
 			sink(p.getName()); //$hasTaintFlow
 		}
 	}
+
+	public static void jacksonTwoStepDeserialization() throws java.io.IOException {
+		String s = taint();
+		Map<String, Object> taintedParams = new HashMap<>();
+		taintedParams.put("name", s);
+		ObjectMapper om = new ObjectMapper();
+		JsonNode jn = om.valueToTree(taintedParams);
+		sink(jn); //$hasTaintFlow
+		Potato p = om.convertValue(jn, Potato.class);
+		sink(p); //$hasTaintFlow
+		sink(p.getName()); //$hasTaintFlow
+	}
 }

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java

@@ -1,6 +1,8 @@
 package com.fasterxml.jackson.databind;
 
-public class JsonNode {
+import java.util.*;
+
+public abstract class JsonNode implements Iterable<JsonNode> {
     public JsonNode() {
     }
 }

java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java

@@ -30,4 +30,12 @@ public String writeValueAsString(Object value) {
   public ObjectReader readerFor(Class<?> type) {
     return null;
   }
+
+  public <T extends JsonNode> T valueToTree(Object fromValue) throws IllegalArgumentException {
+    return null;
+  }
+
+  public <T> T convertValue(Object fromValue, Class<T> toValueType) throws IllegalArgumentException {
+    return null;
+  }
 }