CodeQL library for Java/Kotlin
codeql/java-all 4.0.1-dev (changelog, source)
Search

Module UnsafeDeserializationQuery

Provides classes and predicates for finding deserialization vulnerabilities.

Import path

import semmle.code.java.security.UnsafeDeserializationQuery

Imports

FlowSources

Provides classes representing various flow sources for taint tracking.

Predicates

getASafeFlexjsonUseCall

Gets a safe usage of the use method of Flexjson, which could be: use(String, …) where the path is null or use(ObjectFactory, String…) where the string varargs (or array) contains null

isSafeFlexjsonDeserializer

Holds if e is a safely configured Flexjson JSONDeserializer.

looksLikeResolveClassStep

Holds if fromNode to toNode is a dataflow step that looks like resolving a class. A method probably resolves a class if it takes a string, returns a type descriptor, and its name contains “resolve”, “load”, etc.

resolveClassStep

Holds if fromNode to toNode is a dataflow step that resolves a class.

unsafeDeserialization

Holds if ma is a call that deserializes data from sink.

Classes

UnsafeDeserializationSink

A sink for unsafe deserialization.

Modules

SafeObjectMapperConfig

Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls.

UnsafeTypeConfig

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.

Aliases

EnableJacksonDefaultTypingFlow

Tracks flow from enableDefaultTyping calls to a subsequent Jackson deserialization method call.

SafeObjectMapperFlow

Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls.

UnsafeDeserializationFlow

Constructs a global taint tracking computation.

UnsafeTypeFlow

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.