Merge branch 'unsafe-jackson-deserialization' of github.com:artem-smotrakov/ql into unsafe-jackson-deserialization

artem-smotrakov · artem-smotrakov · commit c367c7e33b6d · 2021-07-16T18:26:38.000+02:00
diff --git a/java/ql/src/semmle/code/java/frameworks/JacksonQuery.qll b/java/ql/src/semmle/code/java/frameworks/JacksonQuery.qll
@@ -64,15 +64,15 @@ private class ObjectMapperReadQualifier extends DataFlow::ExprNode {
 /** A source that sets a type validator. */
 private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
   SetPolymorphicTypeValidatorSource() {
-    exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
         m.getDeclaringType() instanceof ObjectMapper and
         m.hasName("setPolymorphicTypeValidator")
         or
         m.getDeclaringType() instanceof MapperBuilder and
         m.hasName("polymorphicTypeValidator")
       ) and
-      this.asExpr() = q
+      this.asExpr() = ma.getQualifier()
     )
   }
 }
@@ -120,7 +120,7 @@ class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {
 }
 
 /**
- * Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,
+ * Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,
  * including across builder method calls.
  *
  * Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.

Original file line number	Diff line number	Diff line change
`@@ -64,15 +64,15 @@ private class ObjectMapperReadQualifier extends DataFlow::ExprNode {`
`64`	`64`	`/** A source that sets a type validator. */`
`65`	`65`	`private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {`
`66`	`66`	`SetPolymorphicTypeValidatorSource() {`
`67`		`- exists(MethodAccess ma, Method m, Expr q \| m = ma.getMethod() and q = ma.getQualifier() \|`
	`67`	`+ exists(MethodAccess ma, Method m \| m = ma.getMethod() \|`
`68`	`68`	`(`
`69`	`69`	`m.getDeclaringType() instanceof ObjectMapper and`
`70`	`70`	`m.hasName("setPolymorphicTypeValidator")`
`71`	`71`	`or`
`72`	`72`	`m.getDeclaringType() instanceof MapperBuilder and`
`73`	`73`	`m.hasName("polymorphicTypeValidator")`
`74`	`74`	`) and`
`75`		`- this.asExpr() = q`
	`75`	`+ this.asExpr() = ma.getQualifier()`
`76`	`76`	`)`
`77`	`77`	`}`
`78`	`78`	`}`
`@@ -120,7 +120,7 @@ class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`/**`
`123`		`- * Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,`
	`123`	`+ * Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,`
`124`	`124`	`* including across builder method calls.`
`125`	`125`	`*`
`126`	`126`	`* Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.`