Merge pull request github#13179 from pwntester/java_gson

[Java] Add basic support for Google's Gson library

Author: atorralba

java/ql/lib/change-notes/2023-05-30-gson-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow models for the Gson deserialization library.

java/ql/lib/ext/com.google.gson.model.yml

@@ -0,0 +1,44 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.google.gson", "Gson", False, "fromJson", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(JsonElement)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(JsonElement,JsonWriter)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(JsonElement,Appendable)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(Object,Appendable)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(Object,Type)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(Object,Type,Appendable)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJson", "(Object,Type,JsonWriter)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJsonTree", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toJsonTree", "(Object,Type)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "toString", "()", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "newJsonReader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "Gson", False, "newJsonWriter", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson.stream", "JsonReader", False, "nextName", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson.stream", "JsonReader", False, "nextString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsByte", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsCharacter", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsJsonArray", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsJsonObject", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "get", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "keySet", "", "", "Argument[this].MapKey", "ReturnValue.Element", "value", "manual"]
+      - ["com.google.gson", "JsonPrimitive", True, "JsonPrimitive", "(Character)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["com.google.gson", "JsonPrimitive", True, "JsonPrimitive", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

java/ql/lib/semmle/code/java/Serializability.qll

@@ -4,6 +4,7 @@
 
 import java
 private import frameworks.jackson.JacksonSerializability
+private import frameworks.google.GsonSerializability
 private import frameworks.google.GoogleHttpClientApi
 
 /**

java/ql/lib/semmle/code/java/frameworks/google/GsonSerializability.qll

@@ -0,0 +1,61 @@
+/**
+ * Provides classes and predicates for working with Java Serialization in the context of
+ * the `com.google.gson` JSON processing framework.
+ */
+
+import java
+private import semmle.code.java.Serializability
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+
+/**
+ * A method used for deserializing objects using Gson. The first parameter is the object to be
+ * deserialized.
+ */
+private class GsonReadValueMethod extends Method {
+  GsonReadValueMethod() { this.hasQualifiedName("com.google.gson", "Gson", "fromJson") }
+}
+
+/** A type whose values may be deserialized by the Gson JSON framework. */
+abstract class GsonDeserializableType extends Type { }
+
+/** A type whose values are explicitly deserialized in a call to a Gson method. */
+private class ExplicitlyReadGsonDeserializableType extends GsonDeserializableType {
+  ExplicitlyReadGsonDeserializableType() {
+    exists(MethodAccess ma |
+      // A call to a Gson read method...
+      ma.getMethod() instanceof GsonReadValueMethod and
+      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
+      // TODO: find a way to get the type represented by java.lang.reflect.Type and com.google.gson.reflect.TypeToken
+      // fromJson(String json, TypeToken<T> typeOfT)
+      // fromJson(String json, Type typeOfT)
+      usesType(ma.getArgument(1).getType(), this) and
+      not this instanceof TypeClass and
+      not this instanceof TypeObject
+    )
+  }
+}
+
+/** A type used in a `GsonDeserializableField` declaration. */
+private class FieldReferencedGsonDeserializableType extends GsonDeserializableType {
+  FieldReferencedGsonDeserializableType() {
+    exists(GsonDeserializableField f | usesType(f.getType(), this))
+  }
+}
+
+/** A field that may be deserialized using the Gson JSON framework. */
+private class GsonDeserializableField extends DeserializableField {
+  pragma[assume_small_delta]
+  GsonDeserializableField() {
+    exists(GsonDeserializableType superType |
+      superType = this.getDeclaringType().getAnAncestor() and
+      not superType instanceof TypeObject and
+      //superType.fromSource()
+      not superType.(RefType).getPackage().getName().matches("java%")
+    )
+  }
+}
+
+private class GsonInheritTaint extends DataFlow::FieldContent, TaintInheritingContent {
+  GsonInheritTaint() { this.getField() instanceof GsonDeserializableField }
+}

java/ql/test/library-tests/dataflow/taint-gson/Test.java

@@ -0,0 +1,38 @@
+import com.google.gson.Gson;
+
+public class Test {
+    public static class Potato {
+        private String name;
+        private Potato inner;
+        private Object object;
+
+        private String getName() {
+            return name;
+        }
+
+        private Potato getInner() {
+            return inner;
+        }
+
+        private Object getObject() {
+            return object;
+        }
+
+    }
+
+    public static String source() {
+        return "";
+    }
+
+    public static void sink(Object any) {}
+
+    public static void gsonfromJson() throws Exception {
+        String s = source();
+        Potato tainted = new Gson().fromJson(s, Potato.class);
+        sink(tainted); // $ hasTaintFlow
+        sink(tainted.getName()); // $ hasTaintFlow
+        sink(tainted.getInner()); // $ hasTaintFlow
+        sink(tainted.getInner().getName()); // $ hasTaintFlow
+        sink(tainted.getObject()); // $ hasTaintFlow
+    }
+}

java/ql/test/library-tests/dataflow/taint-gson/dataFlow.expected

@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest

java/ql/test/library-tests/dataflow/taint-gson/dataFlow.ql

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/gson-2.8.6