[java] CodeQL query, Increase fastjson detection. Improve RemoteFlowSource class, support SpringMvc. #3665
Conversation
| */ | ||
| class FastJson extends RefType { | ||
| FastJson() { | ||
| this.hasQualifiedName("com.alibaba.fastjson", "JSON") or |
There was a problem hiding this comment.
I think you should probably either change this predicate or adjust the comment to include JSONObject as well.
|
|
||
| override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } | ||
| } | ||
|
|
||
| from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf | ||
| where conf.hasFlowPath(source, sink) | ||
| select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink, | ||
| "Unsafe deserialization of $@.", source.getNode(), "user input" | ||
| "Unsafe deserialization of $@.", source.getNode(), "user input" |
There was a problem hiding this comment.
This seems to not be autoformatted.
You can run the autoformatter from VS Code on all files.
| @@ -0,0 +1,281 @@ | |||
| /** | |||
There was a problem hiding this comment.
This feels seems to be a duplicate of the existing FlowSources.qll file.
There was a problem hiding this comment.
I don’t think so. The FlowSources.qll file is missing for SpringMVC for remote input. The SpringServletInputParameterSource class can only get the remote part of the user's input, for example the following code is in the source Won't get it.
@GetMapping(value = "index")
public void index(String request){
System.out.println(request);
}I added the SpringMVC class to the FlowSources.qll file, mainly to verify whether the class annotation where the method parameters are obtained uses the ``Mapping``` and sub-annotations.
You can try the above code with the following statement.
import java
import semmle.code.java.dataflow.FlowSources
from RemoteFlowSource rfs
select rfsThere was a problem hiding this comment.
You have two FlowSources.qll files in your commit.
java/ql/src/semmle/code/java/dataflow/FlowSources.qll
and
java/ql/src/semmle/code/java/FlowSources.qll
There was a problem hiding this comment.
Sorry, I have a problem with the project here and need to resubmit it.
There was a problem hiding this comment.
Hello
Sorry, I added pr.
Link to the PR:[#3674]
About fastjson introduction:
https://github.com/alibaba/fastjson
Fastjson deserializes through the parse and parseObject methods, and there may be command execution vulnerabilities in deserialization.
Vulnerabilities and fixes:
https://m.sangfor.com/source/blog-network-security/1516.html
https://github.com/alibaba/fastjson/issues
|
Looks like this is superseded by #3674. Closing. |
CodeQL query, Increase fastjson detection. Improve RemoteFlowSource class, support SpringMvc.