Skip to content

Java: Add support for FastJson in unsafe deserialization. #4427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 23, 2020
Merged

Java: Add support for FastJson in unsafe deserialization. #4427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
80ee92a
Java: Add support for FastJson in unsafe deserialization.
aschackmull Oct 7, 2020
4be731d
Java: Adjust reference to static method and add test.
aschackmull Oct 15, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions java/change-notes/2020-10-07-fastjson-deserialization-sink.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
lgtm,codescanning
* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
now recognizes `FastJson` deserialization.
46 changes: 46 additions & 0 deletions java/ql/src/semmle/code/java/frameworks/FastJson.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
/**
* Provides classes and predicates for working with the FastJson framework.
*/

import java

/**
* The class `com.alibaba.fastjson.JSON`.
*/
class FastJson extends RefType {
FastJson() { this.hasQualifiedName("com.alibaba.fastjson", "JSON") }
}

/**
* A FastJson parse method. This is either `JSON.parse` or `JSON.parseObject`.
*/
class FastJsonParseMethod extends Method {
FastJsonParseMethod() {
this.getDeclaringType() instanceof FastJson and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
this.getDeclaringType() instanceof FastJson and
this.getDeclaringType().getASourceSupertype*() instanceof FastJson and

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out that these are static methods.

this.hasName(["parse", "parseObject"])
}
}

/**
* A call to `ParserConfig.setSafeMode`.
*/
class FastJsonSetSafeMode extends MethodAccess {
FastJsonSetSafeMode() {
exists(Method m |
this.getMethod() = m and
m.hasName("setSafeMode") and
m.getDeclaringType().hasQualifiedName("com.alibaba.fastjson.parser", "ParserConfig")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add getASourceSupertype*() to also cover subclasses.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that's necessary here. I think it's quite unlikely that this will be overridden.

)
}

/** Gets the constant value passed to this call, if any. */
boolean getMode() { result = this.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() }
}

/**
* Holds if there is some call to `ParserConfig.setSafeMode` that does not
* explicitly disable safe mode.
*/
predicate fastJsonLooksSafe() {
exists(FastJsonSetSafeMode setsafe | not setsafe.getMode() = false)
}
5 changes: 5 additions & 0 deletions java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import semmle.code.java.frameworks.Kryo
import semmle.code.java.frameworks.XStream
import semmle.code.java.frameworks.SnakeYaml
import semmle.code.java.frameworks.FastJson
import semmle.code.java.frameworks.apache.Lang

class ObjectInputStreamReadObjectMethod extends Method {
Expand Down Expand Up @@ -77,6 +78,10 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
or
ma instanceof UnsafeSnakeYamlParse and
sink = ma.getArgument(0)
or
ma.getMethod() instanceof FastJsonParseMethod and
not fastJsonLooksSafe() and
sink = ma.getArgument(0)
)
}

Expand Down
33 changes: 33 additions & 0 deletions java/ql/test/query-tests/security/CWE-502/B.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
import java.io.*;
import java.net.Socket;
import com.alibaba.fastjson.JSON;

public class B {
public Object deserializeJson1(Socket sock) {
InputStream inputStream = sock.getInputStream();
return JSON.parseObject(inputStream, null); // unsafe
}

public Object deserializeJson2(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
return JSON.parse(bytes); // unsafe
}

public Object deserializeJson3(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
String s = new String(bytes);
return JSON.parseObject(s); // unsafe
}

public Object deserializeJson4(Socket sock) {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
String s = new String(bytes);
return JSON.parse(s); // unsafe
}
}
16 changes: 16 additions & 0 deletions java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ edges
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input |
| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes |
| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s |
| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
nodes
| A.java:13:31:13:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
Expand All @@ -42,6 +46,14 @@ nodes
| A.java:73:28:73:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:74:24:74:28 | input | semmle.label | input |
| A.java:75:24:75:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:15:23:15:27 | bytes | semmle.label | bytes |
| B.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:23:29:23:29 | s | semmle.label | s |
| B.java:27:31:27:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:31:23:31:23 | s | semmle.label | s |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
| TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
#select
Expand All @@ -62,4 +74,8 @@ nodes
| A.java:73:17:73:56 | parse(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| A.java:74:12:74:38 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| A.java:75:12:75:61 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input |
| B.java:8:12:8:46 | parseObject(...) | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | Unsafe deserialization of $@. | B.java:7:31:7:51 | getInputStream(...) | user input |
| B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
| B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
| B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |
2 changes: 1 addition & 1 deletion java/ql/test/query-tests/security/CWE-502/options
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74
210 changes: 210 additions & 0 deletions java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;

import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.util.*;

import com.alibaba.fastjson.parser.*;
import com.alibaba.fastjson.parser.deserializer.ParseProcess;

public abstract class JSON {
public static Object parse(String text) {
return null;
}

public static Object parse(String text, ParserConfig config) {
return null;
}

public static Object parse(String text, ParserConfig config, Feature... features) {
return null;
}

public static Object parse(String text, ParserConfig config, int features) {
return null;
}

public static Object parse(String text, int features) {
return null;
}

public static Object parse(byte[] input, Feature... features) {
return null;
}

public static Object parse(byte[] input, int off, int len, CharsetDecoder charsetDecoder, Feature... features) {
return null;
}

public static Object parse(byte[] input, int off, int len, CharsetDecoder charsetDecoder, int features) {
return null;
}

public static Object parse(String text, Feature... features) {
return null;
}

public static JSONObject parseObject(String text, Feature... features) {
return null;
}

public static JSONObject parseObject(String text) {
return null;
}

public static <T> T parseObject(String text, TypeReference<T> type, Feature... features) {
return null;
}

public static <T> T parseObject(String json, Class<T> clazz, Feature... features) {
return null;
}

public static <T> T parseObject(String text, Class<T> clazz, ParseProcess processor, Feature... features) {
return null;
}

public static <T> T parseObject(String json, Type type, Feature... features) {
return null;
}

public static <T> T parseObject(String input, Type clazz, ParseProcess processor, Feature... features) {
return null;
}

public static <T> T parseObject(String input, Type clazz, int featureValues, Feature... features) {
return null;
}

public static <T> T parseObject(String input, Type clazz, ParserConfig config, Feature... features) {
return null;
}

public static <T> T parseObject(String input, Type clazz, ParserConfig config, int featureValues,
Feature... features) {
return null;
}

public static <T> T parseObject(String input, Type clazz, ParserConfig config, ParseProcess processor,
int featureValues, Feature... features) {
return null;
}

public static <T> T parseObject(byte[] bytes, Type clazz, Feature... features) {
return null;
}

public static <T> T parseObject(byte[] bytes, int offset, int len, Charset charset, Type clazz, Feature... features) {
return null;
}

public static <T> T parseObject(byte[] bytes,
Charset charset,
Type clazz,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) {
return null;
}

public static <T> T parseObject(byte[] bytes, int offset, int len,
Charset charset,
Type clazz,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) {
return null;
}

public static <T> T parseObject(byte[] input,
int off,
int len,
CharsetDecoder charsetDecoder,
Type clazz,
Feature... features) {
return null;
}

public static <T> T parseObject(char[] input, int length, Type clazz, Feature... features) {
return null;
}

public static <T> T parseObject(InputStream is,
Type type,
Feature... features) throws IOException {
return null;
}

public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
Feature... features) throws IOException {
return null;
}

public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
ParserConfig config,
Feature... features) throws IOException {
return null;
}

public static <T> T parseObject(InputStream is,
Charset charset,
Type type,
ParserConfig config,
ParseProcess processor,
int featureValues,
Feature... features) throws IOException {
return null;
}

public static <T> T parseObject(String text, Class<T> clazz) {
return null;
}

public static JSONArray parseArray(String text) {
return null;
}

public static JSONArray parseArray(String text, ParserConfig parserConfig) {
return null;
}

public static <T> List<T> parseArray(String text, Class<T> clazz) {
return null;
}

public static <T> List<T> parseArray(String text, Class<T> clazz, ParserConfig config) {
return null;
}

public static List<Object> parseArray(String text, Type[] types) {
return null;
}

public static List<Object> parseArray(String text, Type[] types, ParserConfig config) {
return null;
}
}
19 changes: 19 additions & 0 deletions java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSONArray.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;

public class JSONArray extends JSON {
}
19 changes: 19 additions & 0 deletions java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSONObject.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/*
* Copyright 1999-2017 Alibaba Group.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.fastjson;

public class JSONObject extends JSON {
}
4 changes: 4 additions & 0 deletions java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/TypeReference.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
package com.alibaba.fastjson;

public class TypeReference<T> {
}
Loading