Covered deserialization filters in RmiUnsafeDeserialization.ql

artem-smotrakov · artem-smotrakov · commit 2d93eeae33f4 · 2021-05-23T10:21:05.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -1,10 +1,10 @@
 /**
- * @name Unsafe deserialization with RMI.
+ * @name Unsafe remote object.
  * @description If a registered remote object has a method that accepts a complex object,
  *              an attacker can take advantage of the unsafe deserialization mechanism
  *              which is used to pass parameters in RMI.
  *              In the worst case, it results in remote code execution.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id java/unsafe-deserialization-rmi
@@ -13,11 +13,9 @@
  */
 
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Rmi
-
-private class ObjectInputStream extends Class {
-  ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
-}
+import DataFlow::PathGraph
 
 /**
  * A method that binds a name to a remote object.
@@ -33,34 +31,52 @@ private class BindMethod extends Method {
 }
 
 /**
- * Looks for a vulnerable method in a `Remote` object.
+ * Holds if `type` has an unsafe remote method.
  */
-private Method getVulnerableMethod(RefType type) {
+private predicate hasVulnerableMethod(RefType type) {
   exists(RemoteCallableMethod m, Type parameterType |
     m.getDeclaringType() = type and parameterType = m.getAParamType()
   |
     not parameterType instanceof PrimitiveType and
     not parameterType instanceof TypeString and
-    not parameterType instanceof ObjectInputStream and
-    result = m
+    not parameterType.(RefType).hasQualifiedName("java.io", "ObjectInputStream")
   )
 }
 
 /**
- * A method call that registers a remote object that has a vulnerable method.
+ * A taint-tracking configuration for unsafe remote objects
+ * that are vulnerable to deserialization attacks.
  */
-private class UnsafeRmiBinding extends MethodAccess {
-  Method vulnerableMethod;
+private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration {
+  BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" }
 
-  UnsafeRmiBinding() {
-    this.getMethod() instanceof BindMethod and
-    vulnerableMethod = getVulnerableMethod(this.getArgument(1).getType())
+  override predicate isSource(DataFlow::Node source) {
+    exists(ConstructorCall cc | cc = source.asExpr() |
+      hasVulnerableMethod(cc.getConstructedType().getASupertype*())
+    )
   }
 
-  Method getVulnerableMethod() { result = vulnerableMethod }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(StaticMethodAccess ma | ma.getArgument(1) = sink.asExpr() |
+      ma.getMethod() instanceof BindMethod
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
+      m.hasName("exportObject") and
+      not ma.getArgument([2, 4])
+          .getType()
+          .(RefType)
+          .getASupertype*()
+          .hasQualifiedName("java.io", "ObjectInputFilter") and
+      ma.getArgument(0) = fromNode.asExpr() and
+      ma = toNode.asExpr()
+    )
+  }
 }
 
-from UnsafeRmiBinding call, Method vulnerableMethod
-where vulnerableMethod = call.getVulnerableMethod()
-select call, "Unsafe deserialization with RMI in '$@' method", vulnerableMethod,
-  vulnerableMethod.getStringSignature()
+from DataFlow::PathNode source, DataFlow::PathNode sink, BindingUnsafeRemoteObjectConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Binding an unsafe remote object."
