Skip to content

Commit 478309c

Browse files
egregius313egregius313
committed
Add UnsafeDeserializationRmi
1 parent e2cfea1 commit 478309c

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
import java
1717
import semmle.code.java.dataflow.TaintTracking
1818
import semmle.code.java.frameworks.Rmi
19-
import DataFlow::PathGraph
19+
import BindingUnsafeRemoteObjectFlow::PathGraph
2020

2121
/**
2222
* A method that binds a name to a remote object.
@@ -48,22 +48,20 @@ private predicate hasVulnerableMethod(RefType type) {
4848
* A taint-tracking configuration for unsafe remote objects
4949
* that are vulnerable to deserialization attacks.
5050
*/
51-
private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration {
52-
BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" }
53-
54-
override predicate isSource(DataFlow::Node source) {
51+
private module BindingUnsafeRemoteObjectConfig implements DataFlow::ConfigSig {
52+
predicate isSource(DataFlow::Node source) {
5553
exists(ConstructorCall cc | cc = source.asExpr() |
5654
hasVulnerableMethod(cc.getConstructedType().getAnAncestor())
5755
)
5856
}
5957

60-
override predicate isSink(DataFlow::Node sink) {
58+
predicate isSink(DataFlow::Node sink) {
6159
exists(MethodAccess ma | ma.getArgument(1) = sink.asExpr() |
6260
ma.getMethod() instanceof BindMethod
6361
)
6462
}
6563

66-
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
64+
predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
6765
exists(MethodAccess ma, Method m | m = ma.getMethod() |
6866
m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
6967
m.hasName("exportObject") and
@@ -74,6 +72,9 @@ private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configurati
7472
}
7573
}
7674

77-
from DataFlow::PathNode source, DataFlow::PathNode sink, BindingUnsafeRemoteObjectConfig conf
78-
where conf.hasFlowPath(source, sink)
75+
private module BindingUnsafeRemoteObjectFlow =
76+
TaintTracking::Global<BindingUnsafeRemoteObjectConfig>;
77+
78+
from BindingUnsafeRemoteObjectFlow::PathNode source, BindingUnsafeRemoteObjectFlow::PathNode sink
79+
where BindingUnsafeRemoteObjectFlow::flowPath(source, sink)
7980
select sink.getNode(), source, sink, "Unsafe deserialization in a remote object."

0 commit comments

Comments
 (0)