Skip to content

Commit c3ac3ca

Browse files
edvraaedvraa
edvraa
authored and
edvraa
committed
FsPickler
1 parent 1682e99 commit c3ac3ca

File tree

2 files changed

+159
-0
lines changed

2 files changed

+159
-0
lines changed

csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -750,4 +750,52 @@ module UnsafeDeserialization {
750750
)
751751
}
752752
}
753+
754+
/** FsPickler */
755+
private predicate isWeakTypeFsPicklerCall(MethodCall mc, Method m) {
756+
m = mc.getTarget() and
757+
(
758+
m instanceof FsPicklerSerializerClassUnPickleUntypedMethod or
759+
m instanceof FsPicklerSerializerClassDeserializeUntypedMethod or
760+
m instanceof FsPicklerSerializerClassDeserializeSequenceUntypedMethod
761+
) and
762+
not mc.getArgument(0).hasValue()
763+
}
764+
765+
abstract private class FsPicklerWeakTypeSink extends ConstructorOrStaticMethodSink { }
766+
767+
private class FsPicklerDeserializeWeakTypeMethodSink extends FsPicklerWeakTypeSink {
768+
FsPicklerDeserializeWeakTypeMethodSink() {
769+
exists(MethodCall mc, Method m |
770+
isWeakTypeFsPicklerCall(mc, m) and
771+
this.asExpr() = mc.getArgument(0)
772+
)
773+
}
774+
}
775+
776+
private predicate isStrongTypeFsPicklerCall(MethodCall mc, Method m) {
777+
m = mc.getTarget() and
778+
(
779+
m instanceof FsPicklerSerializerClassDeserializeMethod or
780+
m instanceof FsPicklerSerializerClassDeserializeSequenceMethod or
781+
m instanceof FsPicklerSerializerClasDeserializeSiftedMethod or
782+
m instanceof FsPicklerSerializerClassUnPickleMethod or
783+
m instanceof FsPicklerSerializerClassUnPickleSiftedMethod or
784+
m instanceof CsPicklerSerializerClassDeserializeMethod or
785+
m instanceof CsPicklerSerializerClassUnPickleMethod or
786+
m instanceof CsPicklerSerializerClassUnPickleOfStringMethod
787+
) and
788+
not mc.getArgument(0).hasValue()
789+
}
790+
791+
abstract private class FsPicklerStrongTypeSink extends InstanceMethodSink { }
792+
793+
private class FsPicklerDeserializeStrongTypeMethodSink extends FsPicklerStrongTypeSink {
794+
FsPicklerDeserializeStrongTypeMethodSink() {
795+
exists(MethodCall mc, Method m |
796+
isStrongTypeFsPicklerCall(mc, m) and
797+
this.asExpr() = mc.getArgument(0)
798+
)
799+
}
800+
}
753801
}

csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ class StrongTypeDeserializer extends Class {
1818
this instanceof DataContractSerializerClass
1919
or
2020
this instanceof XmlMessageFormatterClass
21+
or
22+
this instanceof FsPicklerSerializerClass
23+
or
24+
this instanceof CsPicklerSerializerClass
25+
or
26+
this instanceof CsPicklerTextSerializerClass
2127
}
2228
}
2329

@@ -513,3 +519,108 @@ class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method, U
513519
this.isStatic()
514520
}
515521
}
522+
523+
/** MBrace.FsPickler.FsPicklerSerializer */
524+
private class FsPicklerSerializerClass extends Class {
525+
FsPicklerSerializerClass() { this.hasQualifiedName("MBrace.FsPickler.FsPicklerSerializer") }
526+
}
527+
528+
/** `MBrace.FsPickler.FsPicklerSerializer.Deserialize` method */
529+
class FsPicklerSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
530+
FsPicklerSerializerClassDeserializeMethod() {
531+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
532+
this.hasName("Deserialize")
533+
}
534+
}
535+
536+
/** `MBrace.FsPickler.FsPicklerSerializer.DeserializeSequence` method */
537+
class FsPicklerSerializerClassDeserializeSequenceMethod extends Method, UnsafeDeserializer {
538+
FsPicklerSerializerClassDeserializeSequenceMethod() {
539+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
540+
this.hasName("DeserializeSequence")
541+
}
542+
}
543+
544+
/** `MBrace.FsPickler.FsPicklerSerializer.DeserializeSifted` method */
545+
class FsPicklerSerializerClasDeserializeSiftedMethod extends Method, UnsafeDeserializer {
546+
FsPicklerSerializerClasDeserializeSiftedMethod() {
547+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
548+
this.hasName("DeserializeSifted")
549+
}
550+
}
551+
552+
/** `MBrace.FsPickler.FsPicklerSerializer.UnPickle` method */
553+
class FsPicklerSerializerClassUnPickleMethod extends Method, UnsafeDeserializer {
554+
FsPicklerSerializerClassUnPickleMethod() {
555+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
556+
this.hasName("UnPickle")
557+
}
558+
}
559+
560+
/** `MBrace.FsPickler.FsPicklerSerializer.UnPickleSifted` method */
561+
class FsPicklerSerializerClassUnPickleSiftedMethod extends Method, UnsafeDeserializer {
562+
FsPicklerSerializerClassUnPickleSiftedMethod() {
563+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
564+
this.hasName("UnPickleSifted")
565+
}
566+
}
567+
568+
/** `MBrace.FsPickler.FsPicklerSerializer.DeserializeUntyped` method */
569+
class FsPicklerSerializerClassDeserializeUntypedMethod extends Method, UnsafeDeserializer {
570+
FsPicklerSerializerClassDeserializeUntypedMethod() {
571+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
572+
this.hasName("DeserializeUntyped")
573+
}
574+
}
575+
576+
/** `MBrace.FsPickler.FsPicklerSerializer.DeserializeSequenceUntyped` method */
577+
class FsPicklerSerializerClassDeserializeSequenceUntypedMethod extends Method, UnsafeDeserializer {
578+
FsPicklerSerializerClassDeserializeSequenceUntypedMethod() {
579+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
580+
this.hasName("DeserializeSequenceUntyped")
581+
}
582+
}
583+
584+
/** `MBrace.FsPickler.FsPicklerSerializer.UnPickleUntyped` method */
585+
class FsPicklerSerializerClassUnPickleUntypedMethod extends Method, UnsafeDeserializer {
586+
FsPicklerSerializerClassUnPickleUntypedMethod() {
587+
this.getDeclaringType().getBaseClass*() instanceof FsPicklerSerializerClass and
588+
this.hasName("UnPickleUntyped")
589+
}
590+
}
591+
592+
/** MBrace.CsPickler.CsPicklerSerializer */
593+
private class CsPicklerSerializerClass extends Class {
594+
CsPicklerSerializerClass() { this.hasQualifiedName("MBrace.CsPickler.CsPicklerSerializer") }
595+
}
596+
597+
/** `MBrace.FsPickler.CsPicklerSerializer.Deserialize` method */
598+
class CsPicklerSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
599+
CsPicklerSerializerClassDeserializeMethod() {
600+
this.getDeclaringType().getBaseClass*() instanceof CsPicklerSerializerClass and
601+
this.hasName("Deserialize")
602+
}
603+
}
604+
605+
/** `MBrace.FsPickler.CsPicklerSerializer.UnPickle` method */
606+
class CsPicklerSerializerClassUnPickleMethod extends Method, UnsafeDeserializer {
607+
CsPicklerSerializerClassUnPickleMethod() {
608+
this.getDeclaringType().getBaseClass*() instanceof CsPicklerSerializerClass and
609+
this.hasName("UnPickle")
610+
}
611+
}
612+
613+
/** MBrace.CsPickler.CsPicklerTextSerializer */
614+
private class CsPicklerTextSerializerClass extends Class {
615+
CsPicklerTextSerializerClass() {
616+
this.hasQualifiedName("MBrace.CsPickler.CsPicklerTextSerializer")
617+
}
618+
}
619+
620+
/** `MBrace.FsPickler.CsPicklerTextSerializer.UnPickleOfString` method */
621+
class CsPicklerSerializerClassUnPickleOfStringMethod extends Method, UnsafeDeserializer {
622+
CsPicklerSerializerClassUnPickleOfStringMethod() {
623+
this.getDeclaringType().getBaseClass*() instanceof CsPicklerTextSerializerClass and
624+
this.hasName("UnPickleOfString")
625+
}
626+
}

0 commit comments

Comments
 (0)