Java: teach UnsafeDeserialization about ValidatingObjectInputStream

aibaars · aibaars · commit 39e652b26b81 · 2020-05-06T12:15:30.000+02:00
The class org.apache.commons.io.serialization.ValidatingObjectInputStream
is an implementation of ObjectInputStream that validates the deserialized
classes against a white list. Therefore, this class should not be considered an
unsafe deserialization sink.
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -51,7 +51,14 @@ class SafeKryo extends DataFlow2::Configuration {
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
-    sink = ma.getQualifier()
+    sink = ma.getQualifier() and
+    not exists(DataFlow::ExprNode node |
+      node.getExpr() = sink and
+      node
+          .getTypeBound()
+          .(RefType)
+          .hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
+    )
     or
     m instanceof XMLDecoderReadObjectMethod and
     sink = ma.getQualifier()
