Skip to content

Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc #119

New issue
New issue
Closed
Closed
Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc#119
Labels
All For OneSubmissions to the All for One, One for All bounty
@haby0

Description

@haby0
haby0
opened on Jun 10, 2020

CVE

There is no CVE for this.

Report

This query adds Fastjson deserialization sinks.

JSON.parseObject(cmd);
JSON.parse(cmd);

It has been added to CWE-502. I found that RemoteFlowSource cannot be supported in the test: (1) SpringMVC directly submits parameters; (2) SpringMVC does routing access through Mapping annotations, and the original verification does not have this logic. I Some additions have been made here.

please check:

codeql\java\ql\src\semmle\code\java\frameworks\SpringMVC.qll

codeql\java\ql\src\semmle\code\java\dataflow\FlowSources.qll SpringMVC class

codeql\java\ql\src\semmle\code\java\security\UnsafeDeserialization.qll

codeql\java\ql\src\Security\CWE\CWE-502

Link to the PR:github/codeql#3665

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions