Predicate createJacksonTreeNodeStep

Holds if fromNode to toNode is a dataflow step that creates a Jackson TreeNode.

These are parse trees of user-supplied JSON, which may lead to arbitrary code execution if passed to an unsafely-configured ObjectMapper’s treeToValue method.

Import path


                                import semmle.code.java.frameworks.Jackson


                            
                                
                                    predicate
                                
                                 
                            
                            
                                createJacksonTreeNodeStep
                            
                            
                                (
                                
                                    
                                        Node
                                    
                                     
                                    fromNode
                                
                                , 
                                
                                    
                                        Node
                                    
                                     
                                    toNode
                                
                                )