Java: Add support for FastJson in unsafe deserialization.

aschackmull · aschackmull · commit 80ee92ae97f7 · 2020-11-16T11:47:58.000+01:00
diff --git a/java/change-notes/2020-10-07-fastjson-deserialization-sink.md b/java/change-notes/2020-10-07-fastjson-deserialization-sink.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `FastJson` deserialization.
diff --git a/java/ql/src/semmle/code/java/frameworks/FastJson.qll b/java/ql/src/semmle/code/java/frameworks/FastJson.qll
@@ -0,0 +1,50 @@
+/**
+ * Provides classes and predicates for working with the FastJson framework.
+ */
+
+import java
+
+/**
+ * The class `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
+ */
+class FastJson extends RefType {
+  FastJson() {
+    this.hasQualifiedName("com.alibaba.fastjson", "JSON") or
+    this.hasQualifiedName("com.alibaba.fastjson", "JSONObject")
+  }
+}
+
+/**
+ * A FastJson parse method. This is either `parse` or `parseObject` on either
+ * `com.alibaba.fastjson.JSON` or `com.alibaba.fastjson.JSONObject`.
+ */
+class FastJsonParseMethod extends Method {
+  FastJsonParseMethod() {
+    this.getDeclaringType() instanceof FastJson and
+    this.hasName(["parse", "parseObject"])
+  }
+}
+
+/**
+ * A call to `ParserConfig.setSafeMode`.
+ */
+class FastJsonSetSafeMode extends MethodAccess {
+  FastJsonSetSafeMode() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.hasName("setSafeMode") and
+      m.getDeclaringType().hasQualifiedName("com.alibaba.fastjson.parser", "ParserConfig")
+    )
+  }
+
+  /** Gets the constant value passed to this call, if any. */
+  boolean getMode() { result = this.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() }
+}
+
+/**
+ * Holds if there is some call to `ParserConfig.setSafeMode` that does not
+ * explicitly disable safe mode.
+ */
+predicate fastJsonLooksSafe() {
+  exists(FastJsonSetSafeMode setsafe | not setsafe.getMode() = false)
+}
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -1,6 +1,7 @@
 import semmle.code.java.frameworks.Kryo
 import semmle.code.java.frameworks.XStream
 import semmle.code.java.frameworks.SnakeYaml
+import semmle.code.java.frameworks.FastJson
 import semmle.code.java.frameworks.apache.Lang
 
 class ObjectInputStreamReadObjectMethod extends Method {
@@ -77,6 +78,10 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     or
     ma instanceof UnsafeSnakeYamlParse and
     sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof FastJsonParseMethod and
+    not fastJsonLooksSafe() and
+    sink = ma.getArgument(0)
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
	`3`	+ now recognizes `FastJson` deserialization.