Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3856527

Browse files
artem-smotrakovartem-smotrakov
committed
Refactored tests for unsafe deserialization
1 parent 6d7cb48 commit 3856527

8 files changed

Lines changed: 76 additions & 331 deletions

File tree

java/ql/test/query-tests/security/CWE-502/A.java

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -12,34 +12,34 @@ public class A {
1212
public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
1313
InputStream inputStream = sock.getInputStream();
1414
ObjectInputStream in = new ObjectInputStream(inputStream);
15-
return in.readObject(); // unsafe
15+
return in.readObject(); // $unsafeDeserialization
1616
}
1717

1818
public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
1919
InputStream inputStream = sock.getInputStream();
2020
ObjectInputStream in = new ObjectInputStream(inputStream);
21-
return in.readUnshared(); // unsafe
21+
return in.readUnshared(); // $unsafeDeserialization
2222
}
2323

2424
public Object deserialize3(Socket sock) throws java.io.IOException {
2525
InputStream inputStream = sock.getInputStream();
2626
XMLDecoder d = new XMLDecoder(inputStream);
27-
return d.readObject(); // unsafe
27+
return d.readObject(); // $unsafeDeserialization
2828
}
2929

3030
public Object deserialize4(Socket sock) throws java.io.IOException {
3131
XStream xs = new XStream();
3232
InputStream inputStream = sock.getInputStream();
3333
Reader reader = new InputStreamReader(inputStream);
34-
return xs.fromXML(reader); // unsafe
34+
return xs.fromXML(reader); // $unsafeDeserialization
3535
}
3636

3737
public void deserialize5(Socket sock) throws java.io.IOException {
3838
Kryo kryo = new Kryo();
3939
Input input = new Input(sock.getInputStream());
40-
A a1 = kryo.readObject(input, A.class); // unsafe
41-
A a2 = kryo.readObjectOrNull(input, A.class); // unsafe
42-
Object o = kryo.readClassAndObject(input); // unsafe
40+
A a1 = kryo.readObject(input, A.class); // $unsafeDeserialization
41+
A a2 = kryo.readObjectOrNull(input, A.class); // $unsafeDeserialization
42+
Object o = kryo.readClassAndObject(input); // $unsafeDeserialization
4343
}
4444

4545
private Kryo getSafeKryo() throws java.io.IOException {
@@ -58,21 +58,21 @@ public void deserialize6(Socket sock) throws java.io.IOException {
5858
public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
5959
Yaml yaml = new Yaml();
6060
InputStream input = sock.getInputStream();
61-
Object o = yaml.load(input); //unsafe
62-
Object o2 = yaml.loadAll(input); //unsafe
63-
Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
64-
A o4 = yaml.loadAs(input, A.class); //unsafe
65-
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
61+
Object o = yaml.load(input); // $unsafeDeserialization
62+
Object o2 = yaml.loadAll(input); // $unsafeDeserialization
63+
Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
64+
A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
65+
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
6666
}
6767

6868
public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
6969
Yaml yaml = new Yaml(new Constructor());
7070
InputStream input = sock.getInputStream();
71-
Object o = yaml.load(input); //unsafe
72-
Object o2 = yaml.loadAll(input); //unsafe
73-
Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
74-
A o4 = yaml.loadAs(input, A.class); //unsafe
75-
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
71+
Object o = yaml.load(input); // $unsafeDeserialization
72+
Object o2 = yaml.loadAll(input); // $unsafeDeserialization
73+
Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
74+
A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
75+
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
7676
}
7777

7878
public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
@@ -88,10 +88,10 @@ public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
8888
public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
8989
Yaml yaml = new Yaml(new Constructor(A.class));
9090
InputStream input = sock.getInputStream();
91-
Object o = yaml.load(input); //unsafe
92-
Object o2 = yaml.loadAll(input); //unsafe
93-
Object o3 = yaml.parse(new InputStreamReader(input)); //unsafe
94-
A o4 = yaml.loadAs(input, A.class); //unsafe
95-
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
91+
Object o = yaml.load(input); // $unsafeDeserialization
92+
Object o2 = yaml.loadAll(input); // $unsafeDeserialization
93+
Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization
94+
A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization
95+
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization
9696
}
9797
}

java/ql/test/query-tests/security/CWE-502/B.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,29 +5,29 @@
55
public class B {
66
public Object deserializeJson1(Socket sock) throws java.io.IOException {
77
InputStream inputStream = sock.getInputStream();
8-
return JSON.parseObject(inputStream, null); // unsafe
8+
return JSON.parseObject(inputStream, null); // $unsafeDeserialization
99
}
1010

1111
public Object deserializeJson2(Socket sock) throws java.io.IOException {
1212
InputStream inputStream = sock.getInputStream();
1313
byte[] bytes = new byte[100];
1414
inputStream.read(bytes);
15-
return JSON.parse(bytes); // unsafe
15+
return JSON.parse(bytes); // $unsafeDeserialization
1616
}
1717

1818
public Object deserializeJson3(Socket sock) throws java.io.IOException {
1919
InputStream inputStream = sock.getInputStream();
2020
byte[] bytes = new byte[100];
2121
inputStream.read(bytes);
2222
String s = new String(bytes);
23-
return JSON.parseObject(s); // unsafe
23+
return JSON.parseObject(s); // $unsafeDeserialization
2424
}
2525

2626
public Object deserializeJson4(Socket sock) throws java.io.IOException {
2727
InputStream inputStream = sock.getInputStream();
2828
byte[] bytes = new byte[100];
2929
inputStream.read(bytes);
3030
String s = new String(bytes);
31-
return JSON.parse(s); // unsafe
31+
return JSON.parse(s); // $unsafeDeserialization
3232
}
3333
}

java/ql/test/query-tests/security/CWE-502/C.java

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -21,16 +21,16 @@ public class C {
2121
@GetMapping(value = "jyaml")
2222
public void bad1(HttpServletRequest request) throws Exception {
2323
String data = request.getParameter("data");
24-
Yaml.load(data); //bad
25-
Yaml.loadStream(data); //bad
26-
Yaml.loadStreamOfType(data, Object.class); //bad
27-
Yaml.loadType(data, Object.class); //bad
24+
Yaml.load(data); // $unsafeDeserialization
25+
Yaml.loadStream(data); // $unsafeDeserialization
26+
Yaml.loadStreamOfType(data, Object.class); // $unsafeDeserialization
27+
Yaml.loadType(data, Object.class); // $unsafeDeserialization
2828

2929
org.ho.yaml.YamlConfig yamlConfig = new YamlConfig();
30-
yamlConfig.load(data); //bad
31-
yamlConfig.loadStream(data); //bad
32-
yamlConfig.loadStreamOfType(data, Object.class); //bad
33-
yamlConfig.loadType(data, Object.class); //bad
30+
yamlConfig.load(data); // $unsafeDeserialization
31+
yamlConfig.loadStream(data); // $unsafeDeserialization
32+
yamlConfig.loadStreamOfType(data, Object.class); // $unsafeDeserialization
33+
yamlConfig.loadType(data, Object.class); // $unsafeDeserialization
3434
}
3535

3636
@GetMapping(value = "jsonio")
@@ -40,55 +40,55 @@ public void bad2(HttpServletRequest request) {
4040
HashMap hashMap = new HashMap();
4141
hashMap.put("USE_MAPS", true);
4242

43-
JsonReader.jsonToJava(data); //bad
43+
JsonReader.jsonToJava(data); // $unsafeDeserialization
4444

45-
JsonReader jr = new JsonReader(data, null); //bad
46-
jr.readObject();
45+
JsonReader jr = new JsonReader(data, null);
46+
jr.readObject(); // $unsafeDeserialization
4747
}
4848

4949
@GetMapping(value = "yamlbeans")
5050
public void bad3(HttpServletRequest request) throws Exception {
5151
String data = request.getParameter("data");
5252
YamlReader r = new YamlReader(data);
53-
r.read(); //bad
54-
r.read(Object.class); //bad
55-
r.read(Object.class, Object.class); //bad
53+
r.read(); // $unsafeDeserialization
54+
r.read(Object.class); // $unsafeDeserialization
55+
r.read(Object.class, Object.class); // $unsafeDeserialization
5656
}
5757

5858
@GetMapping(value = "hessian")
5959
public void bad4(HttpServletRequest request) throws Exception {
6060
byte[] bytes = request.getParameter("data").getBytes();
6161
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
6262
HessianInput hessianInput = new HessianInput(bis);
63-
hessianInput.readObject(); //bad
64-
hessianInput.readObject(Object.class); //bad
63+
hessianInput.readObject(); // $unsafeDeserialization
64+
hessianInput.readObject(Object.class); // $unsafeDeserialization
6565
}
6666

6767
@GetMapping(value = "hessian2")
6868
public void bad5(HttpServletRequest request) throws Exception {
6969
byte[] bytes = request.getParameter("data").getBytes();
7070
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
7171
Hessian2Input hessianInput = new Hessian2Input(bis);
72-
hessianInput.readObject(); //bad
73-
hessianInput.readObject(Object.class); //bad
72+
hessianInput.readObject(); // $unsafeDeserialization
73+
hessianInput.readObject(Object.class); // $unsafeDeserialization
7474
}
7575

7676
@GetMapping(value = "castor")
7777
public void bad6(HttpServletRequest request) throws Exception {
7878
Unmarshaller unmarshaller = new Unmarshaller();
79-
unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); //bad
79+
unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $unsafeDeserialization
8080
}
8181

8282
@GetMapping(value = "burlap")
8383
public void bad7(HttpServletRequest request) throws Exception {
8484
byte[] serializedData = request.getParameter("data").getBytes();
8585
ByteArrayInputStream is = new ByteArrayInputStream(serializedData);
8686
BurlapInput burlapInput = new BurlapInput(is);
87-
burlapInput.readObject(); //bad
87+
burlapInput.readObject(); // $unsafeDeserialization
8888

8989
BurlapInput burlapInput1 = new BurlapInput();
9090
burlapInput1.init(is);
91-
burlapInput1.readObject(); //bad
91+
burlapInput1.readObject(); // $unsafeDeserialization
9292
}
9393

9494
@GetMapping(value = "jsonio1")

java/ql/test/query-tests/security/CWE-502/JacksonTest.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ class UnsafePersonDeserialization {
7272
private static void testUnsafeDeserialization() throws Exception {
7373
JacksonTest.withSocket(string -> {
7474
ObjectMapper mapper = new ObjectMapper();
75-
mapper.readValue(string, Person.class);
75+
mapper.readValue(string, Person.class); // $unsafeDeserialization
7676
});
7777
}
7878

@@ -81,7 +81,7 @@ private static void testUnsafeDeserialization() throws Exception {
8181
private static void testUnsafeDeserializationWithExtendedClass() throws Exception {
8282
JacksonTest.withSocket(string -> {
8383
ObjectMapper mapper = new ObjectMapper();
84-
mapper.readValue(string, Employee.class);
84+
mapper.readValue(string, Employee.class); // $unsafeDeserialization
8585
});
8686
}
8787

@@ -90,7 +90,7 @@ private static void testUnsafeDeserializationWithExtendedClass() throws Exceptio
9090
private static void testUnsafeDeserializationWithWrapper() throws Exception {
9191
JacksonTest.withSocket(string -> {
9292
ObjectMapper mapper = new ObjectMapper();
93-
mapper.readValue(string, Task.class);
93+
mapper.readValue(string, Task.class); // $unsafeDeserialization
9494
});
9595
}
9696
}
@@ -138,7 +138,7 @@ private static void testUnsafeDeserialization() throws Exception {
138138
JacksonTest.withSocket(string -> {
139139
ObjectMapper mapper = new ObjectMapper();
140140
mapper.enableDefaultTyping(); // this enables polymorphic type handling
141-
mapper.readValue(string, Cat.class);
141+
mapper.readValue(string, Cat.class); // $unsafeDeserialization
142142
});
143143
}
144144

@@ -147,7 +147,7 @@ private static void testUnsafeDeserializationWithObjectMapperReadValues() throws
147147
JacksonTest.withSocket(string -> {
148148
ObjectMapper mapper = new ObjectMapper();
149149
mapper.enableDefaultTyping();
150-
mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll();
150+
mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll(); // $unsafeDeserialization
151151
});
152152
}
153153

@@ -156,7 +156,7 @@ private static void testUnsafeDeserializationWithObjectMapperTreeToValue() throw
156156
JacksonTest.withSocket(string -> {
157157
ObjectMapper mapper = new ObjectMapper();
158158
mapper.enableDefaultTyping();
159-
mapper.treeToValue(mapper.readTree(string), Cat.class);
159+
mapper.treeToValue(mapper.readTree(string), Cat.class); // $unsafeDeserialization
160160
});
161161
}
162162

@@ -168,7 +168,7 @@ private static void testUnsafeDeserializationWithUnsafeClass() throws Exception
168168
String type = parts[1];
169169
Class clazz = Class.forName(type);
170170
ObjectMapper mapper = new ObjectMapper();
171-
mapper.readValue(data, clazz);
171+
mapper.readValue(data, clazz); // $unsafeDeserialization
172172
});
173173
}
174174

@@ -179,7 +179,7 @@ private static void testUnsafeDeserializationWithUnsafeClassAndCustomTypeResolve
179179
String data = parts[0];
180180
String type = parts[1];
181181
ObjectMapper mapper = new ObjectMapper();
182-
mapper.readValue(data, resolveTypeImpl(type));
182+
mapper.readValue(data, resolveTypeImpl(type)); // $unsafeDeserialization
183183
});
184184
}
185185

java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ public boolean isReadable(Class<?> type, Type genericType, Annotation[] annotati
1919
public Object readFrom(Class<Object> type, Type genericType, Annotation[] annotations, MediaType mediaType,
2020
MultivaluedMap<String, String> httpHeaders, InputStream entityStream) throws IOException {
2121
try {
22-
return new ObjectInputStream(entityStream).readObject();
22+
return new ObjectInputStream(entityStream).readObject(); // $unsafeDeserialization
2323
} catch (ClassNotFoundException e) {
2424
e.printStackTrace();
2525
}

0 commit comments

Comments
 (0)