Look for remote callable method only in RmiUnsafeDeserialization.ql

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java

@@ -1,7 +1,7 @@
 public class Server {
     public static void main(String... args) throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("unsafe", new RemoteObjectImpl());
+        registry.bind("safe", new RemoteObjectImpl());
     }
 }
 

java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql

@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.frameworks.Rmi
 
-private class ObjectInputStream extends RefType {
+private class ObjectInputStream extends Class {
   ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
 }
 
@@ -35,9 +35,8 @@ private class BindMethod extends Method {
 /**
  * Looks for a vulnerable method in a `Remote` object.
  */
-private Method getVulnerableMethod(Type type) {
-  type.(RefType).getASupertype*() instanceof TypeRemote and
-  exists(Method m, Type parameterType |
+private Method getVulnerableMethod(RefType type) {
+  exists(RemoteCallableMethod m, Type parameterType |
     m.getDeclaringType() = type and parameterType = m.getAParamType()
   |
     not parameterType instanceof PrimitiveType and
@@ -61,5 +60,7 @@ private class UnsafeRmiBinding extends MethodAccess {
   Method getVulnerableMethod() { result = vulnerableMethod }
 }
 
-from UnsafeRmiBinding call
-select call, "Unsafe deserialization with RMI in '" + call.getVulnerableMethod() + "' method"
+from UnsafeRmiBinding call, Method vulnerableMethod
+where vulnerableMethod = call.getVulnerableMethod()
+select call, "Unsafe deserialization with RMI in '$@' method", vulnerableMethod,
+  vulnerableMethod.getStringSignature()

java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected

@@ -1,4 +1,4 @@
-| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |

java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java

@@ -54,4 +54,5 @@ public void take(int n) throws RemoteException {}
     public void take(double n) throws RemoteException {}
     public void take(String s) throws RemoteException {}
     public void take(ObjectInputStream ois) throws RemoteException {}
+    public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObjectInterface
 }