[Java] Add data flow through Iterator deserializers for Jackson

JLLeitschuh · JLLeitschuh · commit d0638db6e728 · 2021-05-11T10:36:47.000-04:00
diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -28,7 +28,7 @@ abstract class JacksonSerializableType extends Type { }
  * A method used for serializing objects using Jackson. The final parameter is the object to be
  * serialized.
  */
-library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
+private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   JacksonWriteValueMethod() {
     (
       getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or
@@ -50,17 +50,17 @@ library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   }
 }
 
-library class JacksonReadValueMethod extends Method, TaintPreservingCallable {
+private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
   JacksonReadValueMethod() {
     getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") and
-    hasName("readValue")
+    hasName(["readValue", "readValues"])
   }
 
   override predicate returnsTaintFrom(int arg) { arg = 0 }
 }
 
 /** A type whose values are explicitly serialized in a call to a Jackson method. */
-library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
+private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
   ExplicitlyWrittenJacksonSerializableType() {
     exists(MethodAccess ma |
       // A call to a Jackson write method...
@@ -71,8 +71,20 @@ library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab
   }
 }
 
+/** A type whose values are explicitly deserialized in a call to a Jackson method. */
+private class ExplicitlyReadJacksonSerializableType extends JacksonDeserializableType {
+  ExplicitlyReadJacksonSerializableType() {
+    exists(MethodAccess ma |
+      // A call to a Jackson write method...
+      ma.getMethod() instanceof JacksonReadValueMethod and
+      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
+      usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
+    )
+  }
+}
+
 /** A type used in a `JacksonSerializableField` declaration. */
-library class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
+private class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
   FieldReferencedJacksonSerializableType() {
     exists(JacksonSerializableField f | usesType(f.getType(), this))
   }
@@ -105,7 +117,7 @@ private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::C
 }
 
 /** A type whose values are explicitly deserialized in a call to a Jackson method. */
-library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
+private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
   ExplicitlyReadJacksonDeserializableType() {
     exists(TypeLiteralToJacksonDatabindFlowConfiguration conf |
       usesType(conf.getSourceWithFlowToJacksonDatabind().getTypeName().getType(), this)
@@ -114,7 +126,7 @@ library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa
 }
 
 /** A type used in a `JacksonDeserializableField` declaration. */
-library class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
+private class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
   FieldReferencedJacksonDeSerializableType() {
     exists(JacksonDeserializableField f | usesType(f.getType(), this))
   }
@@ -144,10 +156,15 @@ class JacksonDeserializableField extends DeserializableField {
   }
 }
 
+/** A call to a field that may be deserialized using the Jackson JSON framework. */
 class JacksonDeserializableFieldAccess extends FieldAccess {
   JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }
 }
 
+/**
+ * When an object is deserialized by the Jackson JSON framework using a tainted input source,
+ * the fields that the framework deserialized are themselves tainted input data.
+ */
 class JacksonDeseializedTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -3,6 +3,7 @@
 import java.io.OutputStream;
 import java.io.StringWriter;
 import java.io.Writer;
+import java.util.Iterator;
 
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
@@ -79,4 +80,18 @@ public static void jacksonObjectReader() throws java.io.IOException {
 		sink(reader.readValue(s, Potato.class).name);  //$hasTaintFlow
 		sink(reader.readValue(s, Potato.class).getName());  //$hasTaintFlow
 	}
+
+	public static void jacksonObjectReaderIterable() throws java.io.IOException {
+		String s = taint();
+		ObjectMapper om = new ObjectMapper();
+		ObjectReader reader = om.readerFor(Potato.class);
+		sink(reader.readValues(s));  //$hasTaintFlow
+		Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
+		while(pIterator.hasNext()) {
+			Potato p = pIterator.next();
+			sink(p); //$hasTaintFlow
+			sink(p.name); //$hasTaintFlow
+			sink(p.getName()); //$hasTaintFlow
+		}
+	}
 }
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
@@ -0,0 +1,28 @@
+package com.fasterxml.jackson.databind;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.util.*;
+
+public class MappingIterator<T> implements Iterator<T>, Closeable {
+
+    @Override
+    public boolean hasNext() {
+        return false;
+    }
+
+    @Override
+    public T next() {
+        return null;
+    }
+
+    @Override
+    public void remove() {
+        
+    }
+
+    @Override
+    public void close() throws IOException {
+        
+    }
+}
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
@@ -42,4 +42,41 @@ public <T> T readValue(Reader src) throws IOException {
     public <T> T readValue(Reader src, Class<T> valueType) throws IOException {
         return null;
     }
+
+    public <T> MappingIterator<T> readValues(String src) {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(String src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(byte[] content) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(byte[] content, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(File src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(InputStream src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(InputStream src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(Reader src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(Reader src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ abstract class JacksonSerializableType extends Type { }`
`28`	`28`	`* A method used for serializing objects using Jackson. The final parameter is the object to be`
`29`	`29`	`* serialized.`
`30`	`30`	`*/`
`31`		`-library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {`
	`31`	`+private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {`
`32`	`32`	`JacksonWriteValueMethod() {`
`33`	`33`	`(`
`34`	`34`	`getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or`
`@@ -50,17 +50,17 @@ library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`-library class JacksonReadValueMethod extends Method, TaintPreservingCallable {`
	`53`	`+private class JacksonReadValueMethod extends Method, TaintPreservingCallable {`
`54`	`54`	`JacksonReadValueMethod() {`
`55`	`55`	`getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") and`
`56`		`- hasName("readValue")`
	`56`	`+ hasName(["readValue", "readValues"])`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`override predicate returnsTaintFrom(int arg) { arg = 0 }`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`/** A type whose values are explicitly serialized in a call to a Jackson method. */`
`63`		`-library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {`
	`63`	`+private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {`
`64`	`64`	`ExplicitlyWrittenJacksonSerializableType() {`
`65`	`65`	`exists(MethodAccess ma \|`
`66`	`66`	`// A call to a Jackson write method...`
`@@ -71,8 +71,20 @@ library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`
	`74`	`+/** A type whose values are explicitly deserialized in a call to a Jackson method. */`
	`75`	`+private class ExplicitlyReadJacksonSerializableType extends JacksonDeserializableType {`
	`76`	`+ ExplicitlyReadJacksonSerializableType() {`
	`77`	`+ exists(MethodAccess ma \|`
	`78`	`+ // A call to a Jackson write method...`
	`79`	`+ ma.getMethod() instanceof JacksonReadValueMethod and`
	`80`	+ // ...where `this` is used in the final argument, indicating that this type will be deserialized.
	`81`	`+ usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)`
	`82`	`+ )`
	`83`	`+ }`
	`84`	`+}`
	`85`	`+`
`74`	`86`	/** A type used in a `JacksonSerializableField` declaration. */
`75`		`-library class FieldReferencedJacksonSerializableType extends JacksonSerializableType {`
	`87`	`+private class FieldReferencedJacksonSerializableType extends JacksonSerializableType {`
`76`	`88`	`FieldReferencedJacksonSerializableType() {`
`77`	`89`	`exists(JacksonSerializableField f \| usesType(f.getType(), this))`
`78`	`90`	`}`
`@@ -105,7 +117,7 @@ private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::C`
`105`	`117`	`}`
`106`	`118`
`107`	`119`	`/** A type whose values are explicitly deserialized in a call to a Jackson method. */`
`108`		`-library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {`
	`120`	`+private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {`
`109`	`121`	`ExplicitlyReadJacksonDeserializableType() {`
`110`	`122`	`exists(TypeLiteralToJacksonDatabindFlowConfiguration conf \|`
`111`	`123`	`usesType(conf.getSourceWithFlowToJacksonDatabind().getTypeName().getType(), this)`
`@@ -114,7 +126,7 @@ library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa`
`114`	`126`	`}`
`115`	`127`
`116`	`128`	/** A type used in a `JacksonDeserializableField` declaration. */
`117`		`-library class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {`
	`129`	`+private class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {`
`118`	`130`	`FieldReferencedJacksonDeSerializableType() {`
`119`	`131`	`exists(JacksonDeserializableField f \| usesType(f.getType(), this))`
`120`	`132`	`}`
`@@ -144,10 +156,15 @@ class JacksonDeserializableField extends DeserializableField {`
`144`	`156`	`}`
`145`	`157`	`}`
`146`	`158`
	`159`	`+/** A call to a field that may be deserialized using the Jackson JSON framework. */`
`147`	`160`	`class JacksonDeserializableFieldAccess extends FieldAccess {`
`148`	`161`	`JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }`
`149`	`162`	`}`
`150`	`163`
	`164`	`+/**`
	`165`	`+ * When an object is deserialized by the Jackson JSON framework using a tainted input source,`
	`166`	`+ * the fields that the framework deserialized are themselves tainted input data.`
	`167`	`+ */`
`151`	`168`	`class JacksonDeseializedTaintStep extends AdditionalTaintStep {`
`152`	`169`	`override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
`153`	`170`	`node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()`