/
*
*
*
@name Unsafe XML deserialization
*
@kind path
-
problem
*
@
id
java
/
unsafe
-
deserialization
*
/
import
java
import
semmle.code.java.dataflow.DataFlow
import
DataFlow::PathGraph
predicate isXMLDeserialized(Expr arg) {
exists(MethodAccess fromXML |
fromXML.getMethod().getName()
=
"fromXML"
and
arg
=
fromXML.getArgument(
0
)
)
}
/
*
*
The interface `org.apache.struts2.rest.handler.ContentTypeHandler`.
*
/
class
ContentTypeHandler extends RefType {
ContentTypeHandler() {
this.hasQualifiedName(
"org.apache.struts2.rest.handler"
,
"ContentTypeHandler"
)
}
}
/
*
*
A `toObject` method on a subtype of `org.apache.struts2.rest.handler.ContentTypeHandler`.
*
/
class
ContentTypeHandlerToObject extends Method {
ContentTypeHandlerToObject() {
this.getDeclaringType().getASupertype() instanceof ContentTypeHandler
and
this.hasName(
"toObject"
)
}
}
class
StrutsUnsafeDeserializationConfig extends DataFlow::Configuration {
StrutsUnsafeDeserializationConfig() { this
=
"StrutsUnsafeDeserializationConfig"
}
override predicate isSource(DataFlow::Node source) {
exists(ContentTypeHandlerToObject toObjectMethod |
source.asParameter()
=
toObjectMethod.getParameter(
0
)
)
}
override predicate isSink(DataFlow::Node sink) {
exists(Expr arg |
isXMLDeserialized(arg)
and
sink.asExpr()
=
arg
)
}
}
from
StrutsUnsafeDeserializationConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink,
"Unsafe XML deserialization"