CodeQL library for Java
codeql/java-all 0.4.4 (changelog, source)
Search

Module UnsafeDeserializationQuery

Provides classes and predicates for finding deserialization vulnerabilities.

Import path

import semmle.code.java.security.UnsafeDeserializationQuery

Imports

FlowSources

Provides classes representing various flow sources for taint tracking.

Predicates

getASafeFlexjsonUseCall

Gets a safe usage of the use method of Flexjson, which could be: use(String, …) where the path is null or use(ObjectFactory, String…) where the string varargs (or array) contains null

isSafeFlexjsonDeserializer

Holds if e is a safely configured Flexjson JSONDeserializer.

looksLikeResolveClassStep

Holds if fromNode to toNode is a dataflow step that looks like resolving a class. A method probably resolves a class if it takes a string, returns a type descriptor, and its name contains “resolve”, “load”, etc.

resolveClassStep

Holds if fromNode to toNode is a dataflow step that resolves a class.

unsafeDeserialization

Holds if ma is a call that deserializes data from sink.

Classes

EnableJacksonDefaultTypingConfig

Tracks flow from enableDefaultTyping calls to a subsequent Jackson deserialization method call.

SafeObjectMapperConfig

Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls.

UnsafeDeserializationConfig

Tracks flows from remote user input to a deserialization sink.

UnsafeDeserializationSink

A sink for unsafe deserialization.

UnsafeTypeConfig

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.