Update semgrep query for HardenJavaDeserializationCodemod and update paths to exclude (#267)

carlosu7 · web-flow · commit 13e4f14709da · 2023-12-19T15:10:47.000-06:00
* Update semgrep query for HardenJavaDeserializationCodemod
* Updated paths to exclude *Test.java files
diff --git a/core-codemods/src/main/resources/io/codemodder/codemods/harden-java-deserialization.yaml b/core-codemods/src/main/resources/io/codemodder/codemods/harden-java-deserialization.yaml
@@ -13,7 +13,7 @@ rules:
       - pattern-not-inside: >
           $RETURNTYPE $METHOD(...) {
             ...
-            (io.github.pixee.security.ObjectInputFilters).enableObjectFilterIfUnprotected($OIS);
+            ObjectInputFilters.enableObjectFilterIfUnprotected($OIS);
             ...
           }
       - focus-metavariable: $OIS
diff --git a/core-codemods/src/test/resources/harden-java-deserialization/ObjectInputFiltersTest.java.after b/core-codemods/src/test/resources/harden-java-deserialization/ObjectInputFiltersTest.java.after
@@ -0,0 +1,150 @@
+package io.github.pixee.security;
+
+import io.github.pixee.security.ObjectInputFilters;
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.mockito.Mockito.*;
+
+import java.io.*;
+import java.nio.file.Files;
+import org.apache.commons.fileupload.disk.DiskFileItem;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+final class ObjectInputFiltersTest {
+
+  private static DiskFileItem gadget; // this is an evil gadget type
+  private static byte[] serializedGadget; // this the serialized bytes of that gadget
+
+  @BeforeAll
+  static void setup() throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    gadget =
+        new DiskFileItem(
+            "fieldName",
+            "text/html",
+            false,
+            "foo.html",
+            100,
+            Files.createTempDirectory("adi").toFile());
+    gadget.getOutputStream(); // needed to make the object serializable
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
+    oos.writeObject(gadget);
+    serializedGadget = baos.toByteArray();
+  }
+
+  @Test
+  void default_is_unprotected() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
+    Object o = ois.readObject();
+    assertThat(o, instanceOf(DiskFileItem.class));
+  }
+
+
+  @Test
+  void ois_harden_works() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
+    assertThrows(
+        InvalidClassException.class,
+        () -> {
+          ois.readObject();
+          fail("this should have been blocked");
+        });
+  }
+
+  @Test
+  void objectinputfilter_works_when_none_present() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ois.setObjectInputFilter(ObjectInputFilters.getHardenedObjectFilter());
+    assertThrows(
+        InvalidClassException.class,
+        () -> {
+          ois.readObject();
+          fail("this should have been blocked");
+        });
+  }
+
+  /**
+   * This test makes sure that if there's an existing {@link ObjectInputFilter}, that we honor it
+   * while we also do our protection. It bans a BadType, and allows a GoodType, so that behavior
+   * should still work as well as still reject our evil gadgets.
+   */
+  @Test
+  void objectinputfilter_works_and_honors_existing() throws Exception {
+    ObjectInputFilter filter =
+        ObjectInputFilter.Config.createFilter(
+            "!" + BadType.class.getName() + ";" + GoodType.class.getName());
+    {
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+      // this joins the default filter to the existing
+      ois.setObjectInputFilter(ObjectInputFilters.createCombinedHardenedObjectFilter(filter));
+      assertThrows(
+          InvalidClassException.class,
+          () -> {
+            ois.readObject();
+            fail("this should have been blocked");
+          });
+    }
+
+    // make sure we still reject the bad type
+    {
+      byte[] serializedBadType = serialize(new BadType());
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedBadType));
+      ois.setObjectInputFilter(
+          ObjectInputFilters.createCombinedHardenedObjectFilter(filter)); // this is our weave
+
+      assertThrows(
+          InvalidClassException.class,
+          () -> {
+            ois.readObject();
+            fail("this should have been blocked -- the original filter should have rejected it");
+          });
+    }
+
+    // make we still allow the good type
+    {
+      byte[] serializedGoodType = serialize(new GoodType());
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGoodType));
+      ois.setObjectInputFilter(ObjectInputFilters.createCombinedHardenedObjectFilter(filter));
+      GoodType goodType = (GoodType) ois.readObject();
+      assertThat(goodType, is(notNullValue()));
+    }
+  }
+
+  @Test
+  void the_filter_works_as_expected() {
+    ObjectInputFilter filter = ObjectInputFilters.getHardenedObjectFilter();
+    ObjectInputFilter.FilterInfo filterInfo = mock(ObjectInputFilter.FilterInfo.class);
+
+    // we never want to interfere with existing logic, so we never explicitly approve anything, even
+    // innocent j.l.String
+    doReturn(String.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status status = filter.checkInput(filterInfo);
+    assertThat(status, is(ObjectInputFilter.Status.UNDECIDED));
+
+    // this confirm that the exact match of ProcessBuilder in our list is caught by the filter
+    doReturn(ProcessBuilder.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status exactMatch = filter.checkInput(filterInfo);
+    assertThat(exactMatch, is(ObjectInputFilter.Status.REJECTED));
+
+    // this confirms that although the Redirect type is not explicitly in the tokens, it's still
+    // caught by the wildcard
+    doReturn(ProcessBuilder.Redirect.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status partialMatch = filter.checkInput(filterInfo);
+    assertThat(partialMatch, is(ObjectInputFilter.Status.REJECTED));
+  }
+
+  byte[] serialize(Serializable s) throws IOException {
+    ByteArrayOutputStream stream = new ByteArrayOutputStream();
+    new ObjectOutputStream(stream).writeObject(s);
+    return stream.toByteArray();
+  }
+
+  static class BadType implements Serializable {}
+
+  static class GoodType implements Serializable {}
+}
diff --git a/core-codemods/src/test/resources/harden-java-deserialization/ObjectInputFiltersTest.java.before b/core-codemods/src/test/resources/harden-java-deserialization/ObjectInputFiltersTest.java.before
@@ -0,0 +1,148 @@
+package io.github.pixee.security;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.mockito.Mockito.*;
+
+import java.io.*;
+import java.nio.file.Files;
+import org.apache.commons.fileupload.disk.DiskFileItem;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+final class ObjectInputFiltersTest {
+
+  private static DiskFileItem gadget; // this is an evil gadget type
+  private static byte[] serializedGadget; // this the serialized bytes of that gadget
+
+  @BeforeAll
+  static void setup() throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    gadget =
+        new DiskFileItem(
+            "fieldName",
+            "text/html",
+            false,
+            "foo.html",
+            100,
+            Files.createTempDirectory("adi").toFile());
+    gadget.getOutputStream(); // needed to make the object serializable
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
+    oos.writeObject(gadget);
+    serializedGadget = baos.toByteArray();
+  }
+
+  @Test
+  void default_is_unprotected() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    Object o = ois.readObject();
+    assertThat(o, instanceOf(DiskFileItem.class));
+  }
+
+
+  @Test
+  void ois_harden_works() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
+    assertThrows(
+        InvalidClassException.class,
+        () -> {
+          ois.readObject();
+          fail("this should have been blocked");
+        });
+  }
+
+  @Test
+  void objectinputfilter_works_when_none_present() throws Exception {
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+    ois.setObjectInputFilter(ObjectInputFilters.getHardenedObjectFilter());
+    assertThrows(
+        InvalidClassException.class,
+        () -> {
+          ois.readObject();
+          fail("this should have been blocked");
+        });
+  }
+
+  /**
+   * This test makes sure that if there's an existing {@link ObjectInputFilter}, that we honor it
+   * while we also do our protection. It bans a BadType, and allows a GoodType, so that behavior
+   * should still work as well as still reject our evil gadgets.
+   */
+  @Test
+  void objectinputfilter_works_and_honors_existing() throws Exception {
+    ObjectInputFilter filter =
+        ObjectInputFilter.Config.createFilter(
+            "!" + BadType.class.getName() + ";" + GoodType.class.getName());
+    {
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGadget));
+      // this joins the default filter to the existing
+      ois.setObjectInputFilter(ObjectInputFilters.createCombinedHardenedObjectFilter(filter));
+      assertThrows(
+          InvalidClassException.class,
+          () -> {
+            ois.readObject();
+            fail("this should have been blocked");
+          });
+    }
+
+    // make sure we still reject the bad type
+    {
+      byte[] serializedBadType = serialize(new BadType());
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedBadType));
+      ois.setObjectInputFilter(
+          ObjectInputFilters.createCombinedHardenedObjectFilter(filter)); // this is our weave
+
+      assertThrows(
+          InvalidClassException.class,
+          () -> {
+            ois.readObject();
+            fail("this should have been blocked -- the original filter should have rejected it");
+          });
+    }
+
+    // make we still allow the good type
+    {
+      byte[] serializedGoodType = serialize(new GoodType());
+      ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(serializedGoodType));
+      ois.setObjectInputFilter(ObjectInputFilters.createCombinedHardenedObjectFilter(filter));
+      GoodType goodType = (GoodType) ois.readObject();
+      assertThat(goodType, is(notNullValue()));
+    }
+  }
+
+  @Test
+  void the_filter_works_as_expected() {
+    ObjectInputFilter filter = ObjectInputFilters.getHardenedObjectFilter();
+    ObjectInputFilter.FilterInfo filterInfo = mock(ObjectInputFilter.FilterInfo.class);
+
+    // we never want to interfere with existing logic, so we never explicitly approve anything, even
+    // innocent j.l.String
+    doReturn(String.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status status = filter.checkInput(filterInfo);
+    assertThat(status, is(ObjectInputFilter.Status.UNDECIDED));
+
+    // this confirm that the exact match of ProcessBuilder in our list is caught by the filter
+    doReturn(ProcessBuilder.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status exactMatch = filter.checkInput(filterInfo);
+    assertThat(exactMatch, is(ObjectInputFilter.Status.REJECTED));
+
+    // this confirms that although the Redirect type is not explicitly in the tokens, it's still
+    // caught by the wildcard
+    doReturn(ProcessBuilder.Redirect.class).when(filterInfo).serialClass();
+    ObjectInputFilter.Status partialMatch = filter.checkInput(filterInfo);
+    assertThat(partialMatch, is(ObjectInputFilter.Status.REJECTED));
+  }
+
+  byte[] serialize(Serializable s) throws IOException {
+    ByteArrayOutputStream stream = new ByteArrayOutputStream();
+    new ObjectOutputStream(stream).writeObject(s);
+    return stream.toByteArray();
+  }
+
+  static class BadType implements Serializable {}
+
+  static class GoodType implements Serializable {}
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/CLI.java b/framework/codemodder-base/src/main/java/io/codemodder/CLI.java
@@ -618,6 +618,7 @@ private List<ParameterArgument> createFromParameterStrings(final List<String> pa
   private static final List<String> defaultPathExcludes =
       List.of(
           "**/test/**",
+          "**/*Test.java",
           "**/intTest/**",
           "**/tests/**",
           "**/target/**",
diff --git a/framework/codemodder-base/src/test/java/io/codemodder/CLITest.java b/framework/codemodder-base/src/test/java/io/codemodder/CLITest.java
@@ -35,6 +35,7 @@ final class CLITest {
   private Path workingRepoDir;
   private Path fooJavaFile;
   private Path barJavaFile;
+  private Path testFile;
   private List<SourceDirectory> sourceDirectories;
 
   @BeforeEach
@@ -46,10 +47,12 @@ void setup(final @TempDir Path tmpDir) throws IOException {
         Files.createDirectories(tmpDir.resolve("module2/src/main/java/com/acme/util/"));
     fooJavaFile = module1JavaDir.resolve("Foo.java");
     barJavaFile = module2JavaDir.resolve("Bar.java");
+    testFile = module2JavaDir.resolve("MyTest.java");
     Files.write(
         fooJavaFile,
         "import com.acme.util.Bar; class Foo {private var bar = new Bar();}".getBytes());
     Files.write(barJavaFile, "public class Bar {}".getBytes());
+    Files.write(testFile, "public class MyTest {}".getBytes());
 
     /*
      * Only add module2 to the discovered source directories. This will help prove that the module1 files can still be seen and changed, even if we couldn't locate it as a "source directory".
@@ -71,6 +74,13 @@ void it_works_normally() throws IOException {
     assertThat(Files.exists(outputFile)).isTrue();
   }
 
+  @Test
+  void it_doesnt_change_test_file() throws IOException {
+    String[] args = new String[] {"--dont-exit", workingRepoDir.toString()};
+    Runner.run(List.of(Cloud9Changer.class), args);
+    assertThat(Files.readString(testFile)).doesNotContain("cloud9");
+  }
+
   @Test
   void it_works_without_output_file() throws IOException {
     String[] args = new String[] {"--dont-exit", workingRepoDir.toString()};
@@ -203,7 +213,7 @@ void file_finder_works() throws IOException {
 
     IncludesExcludes all = IncludesExcludes.any();
     List<Path> files = finder.findFiles(workingRepoDir, all);
-    assertThat(files).containsExactly(fooJavaFile, barJavaFile);
+    assertThat(files).containsExactly(fooJavaFile, barJavaFile, testFile);
 
     IncludesExcludes onlyFoo =
         IncludesExcludes.withSettings(workingRepoDir.toFile(), List.of("**/Foo.java"), List.of());

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ rules:`
`13`	`13`	`- pattern-not-inside: >`
`14`	`14`	`$RETURNTYPE $METHOD(...) {`
`15`	`15`	`...`
`16`		`- (io.github.pixee.security.ObjectInputFilters).enableObjectFilterIfUnprotected($OIS);`
	`16`	`+ ObjectInputFilters.enableObjectFilterIfUnprotected($OIS);`
`17`	`17`	`...`
`18`	`18`	`}`
`19`	`19`	`- focus-metavariable: $OIS`