File tree Expand file tree Collapse file tree
library-tests/dataflow/taint-jackson
stubs/jackson-databind-2.10/com/fasterxml/jackson/databind Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -77,6 +77,7 @@ private module Frameworks {
7777 private import semmle.code.java.frameworks.ApacheHttp
7878 private import semmle.code.java.frameworks.apache.Lang
7979 private import semmle.code.java.frameworks.guava.Guava
80+ private import semmle.code.java.frameworks.jackson.JacksonSerializability
8081 private import semmle.code.java.security.ResponseSplitting
8182 private import semmle.code.java.security.XSS
8283 private import semmle.code.java.security.LdapInjection
Original file line number Diff line number Diff line change @@ -9,6 +9,7 @@ import semmle.code.java.Reflection
99import semmle.code.java.dataflow.DataFlow
1010import semmle.code.java.dataflow.DataFlow5
1111import semmle.code.java.dataflow.FlowSteps
12+ private import semmle.code.java.dataflow.ExternalFlow
1213
1314/**
1415 * A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
@@ -275,3 +276,13 @@ class JacksonMixedInCallable extends Callable {
275276 )
276277 }
277278}
279+
280+ private class JacksonModel extends SummaryModelCsv {
281+ override predicate row ( string row ) {
282+ row =
283+ [
284+ "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint" ,
285+ "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
286+ ]
287+ }
288+ }
Original file line number Diff line number Diff line change 44import java .io .StringWriter ;
55import java .io .Writer ;
66import java .util .Iterator ;
7+ import java .util .HashMap ;
8+ import java .util .Map ;
79
810import com .fasterxml .jackson .core .JsonFactory ;
911import com .fasterxml .jackson .core .JsonGenerator ;
12+ import com .fasterxml .jackson .databind .JsonNode ;
1013import com .fasterxml .jackson .databind .ObjectMapper ;
1114import com .fasterxml .jackson .databind .ObjectWriter ;
1215import com .fasterxml .jackson .databind .ObjectReader ;
@@ -94,4 +97,16 @@ public static void jacksonObjectReaderIterable() throws java.io.IOException {
9497 sink (p .getName ()); //$hasTaintFlow
9598 }
9699 }
100+
101+ public static void jacksonTwoStepDeserialization () throws java .io .IOException {
102+ String s = taint ();
103+ Map <String , Object > taintedParams = new HashMap <>();
104+ taintedParams .put ("name" , s );
105+ ObjectMapper om = new ObjectMapper ();
106+ JsonNode jn = om .valueToTree (taintedParams );
107+ sink (jn ); //$hasTaintFlow
108+ Potato p = om .convertValue (jn , Potato .class );
109+ sink (p ); //$hasTaintFlow
110+ sink (p .getName ()); //$hasTaintFlow
111+ }
97112}
Original file line number Diff line number Diff line change 11package com .fasterxml .jackson .databind ;
22
3- public class JsonNode {
3+ import java .util .*;
4+
5+ public abstract class JsonNode implements Iterable <JsonNode > {
46 public JsonNode () {
57 }
68}
Original file line number Diff line number Diff line change @@ -30,4 +30,12 @@ public String writeValueAsString(Object value) {
3030 public ObjectReader readerFor (Class <?> type ) {
3131 return null ;
3232 }
33+
34+ public <T extends JsonNode > T valueToTree (Object fromValue ) throws IllegalArgumentException {
35+ return null ;
36+ }
37+
38+ public <T > T convertValue (Object fromValue , Class <T > toValueType ) throws IllegalArgumentException {
39+ return null ;
40+ }
3341}
You can’t perform that action at this time.
0 commit comments