Java: Add support for FastJson in unsafe deserialization. #4427
Conversation
| */ | ||
| class FastJson extends RefType { | ||
| FastJson() { | ||
| this.hasQualifiedName("com.alibaba.fastjson", "JSON") or |
There was a problem hiding this comment.
I believe JSONObject is a subclass of JSON so there should be no need for the or. There are also several other subclasses of JSON . See: https://github.com/alibaba/fastjson/tree/master/src/main/java/com/alibaba/fastjson
There was a problem hiding this comment.
I've removed JSONObject. It never really made sense to include, since the relevant methods are static.
| */ | ||
| class FastJsonParseMethod extends Method { | ||
| FastJsonParseMethod() { | ||
| this.getDeclaringType() instanceof FastJson and |
There was a problem hiding this comment.
| this.getDeclaringType() instanceof FastJson and | |
| this.getDeclaringType().getASourceSupertype*() instanceof FastJson and |
There was a problem hiding this comment.
Turns out that these are static methods.
| exists(Method m | | ||
| this.getMethod() = m and | ||
| m.hasName("setSafeMode") and | ||
| m.getDeclaringType().hasQualifiedName("com.alibaba.fastjson.parser", "ParserConfig") |
There was a problem hiding this comment.
I would add getASourceSupertype*() to also cover subclasses.
There was a problem hiding this comment.
I don't think that's necessary here. I think it's quite unlikely that this will be overridden.
aschackmull
force-pushed
the
java/fastjson
branch
from
6e9d3e0 to
4be731d
Compare
|
Rebased to fix merge conflict. |
This cherry-picks the addition of FastJson deserialization sinks from #3674 and adds a check for safe mode sanitization and a change note.