codeql/java/ql/test/query-tests/security/CWE-502/A.java at 7764fbb664075a5df393eb749968d770843a218d · owen-mc/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package unsafedeserialization;

import java.io.*;
import java.net.Socket;
import java.beans.XMLDecoder;
import com.example.MyObjectInput;
import com.thoughtworks.xstream.XStream;
import com.esotericsoftware.kryo.Kryo;
import com.esotericsoftware.kryo.io.Input;
import org.yaml.snakeyaml.constructor.SafeConstructor;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.Yaml;
import org.nibblesec.tools.SerialKiller;

public class A {
  public Object deserialize1a(Socket sock) throws java.io.IOException, ClassNotFoundException {
    InputStream inputStream = sock.getInputStream(); // $ Source
    ObjectInputStream in = new ObjectInputStream(inputStream);
    return in.readObject(); // $ Alert
  }

  public Object deserialize2() throws java.io.IOException, ClassNotFoundException {
    ObjectInput objectInput = A.getTaintedObjectInput(); // $ Source
    return objectInput.readObject(); // $ Alert
  }

  public Object deserialize3() throws java.io.IOException, ClassNotFoundException {
    MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ Source
    return objectInput.readObject(); // $ Alert
  }

  public Object deserialize4(Socket sock) throws java.io.IOException, ClassNotFoundException {
    InputStream inputStream = sock.getInputStream(); // $ Source
    ObjectInputStream in = new ObjectInputStream(inputStream);
    return in.readUnshared(); // $ Alert
  }

  public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOException, ClassNotFoundException {
    InputStream inputStream = sock.getInputStream();
    ObjectInputStream in = new SerialKiller(inputStream, "/etc/serialkiller.conf");
    return in.readUnshared(); // OK
  }

  public Object deserialize5(Socket sock) throws java.io.IOException {
    InputStream inputStream = sock.getInputStream(); // $ Source
    XMLDecoder d = new XMLDecoder(inputStream);
    return d.readObject(); // $ Alert
  }

  public Object deserialize6(Socket sock) throws java.io.IOException {
    XStream xs = new XStream();
    InputStream inputStream = sock.getInputStream(); // $ Source
    Reader reader = new InputStreamReader(inputStream);
    return xs.fromXML(reader); // $ Alert
  }

  public void deserialize7(Socket sock) throws java.io.IOException {
    Kryo kryo = new Kryo();
    Input input = new Input(sock.getInputStream()); // $ Source
    A a1 = kryo.readObject(input, A.class); // $ Alert
    A a2 = kryo.readObjectOrNull(input, A.class); // $ Alert
    Object o = kryo.readClassAndObject(input); // $ Alert
  }

  private Kryo getSafeKryo() throws java.io.IOException {
    Kryo kryo = new Kryo();
    kryo.setRegistrationRequired(true);
    // ... kryo.register(A.class) ...
    return kryo;
  }

  public void deserialize8(Socket sock) throws java.io.IOException {
    Kryo kryo = getSafeKryo();
    Input input = new Input(sock.getInputStream());
    Object o = kryo.readClassAndObject(input); // OK
  }

  public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
    Yaml yaml = new Yaml();
    InputStream input = sock.getInputStream(); // $ Source
    Object o = yaml.load(input); // $ Alert
    Object o2 = yaml.loadAll(input); // $ Alert
    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
    A o4 = yaml.loadAs(input, A.class); // $ Alert
    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
  }

  public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
    Yaml yaml = new Yaml(new Constructor());
    InputStream input = sock.getInputStream(); // $ Source
    Object o = yaml.load(input); // $ Alert
    Object o2 = yaml.loadAll(input); // $ Alert
    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
    A o4 = yaml.loadAs(input, A.class); // $ Alert
    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
  }

  public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
    Yaml yaml = new Yaml(new SafeConstructor());
    InputStream input = sock.getInputStream();
    Object o = yaml.load(input); //OK
    Object o2 = yaml.loadAll(input); //OK
    Object o3 = yaml.parse(new InputStreamReader(input)); //OK
    A o4 = yaml.loadAs(input, A.class); //OK
    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //OK
  }

  public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
    Yaml yaml = new Yaml(new Constructor(A.class));
    InputStream input = sock.getInputStream(); // $ Source
    Object o = yaml.load(input); // $ Alert
    Object o2 = yaml.loadAll(input); // $ Alert
    Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert
    A o4 = yaml.loadAs(input, A.class); // $ Alert
    A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
  }

  static ObjectInput getTaintedObjectInput() { return null; }

  static MyObjectInput getTaintedMyObjectInput() { return null; }
}