-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUnsafeSpringExporterInConfigurationClass.ql
More file actions
59 lines (52 loc) · 2.09 KB
/
UnsafeSpringExporterInConfigurationClass.ql
File metadata and controls
59 lines (52 loc) · 2.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
/**
* @name Unsafe deserialization with Spring's remote service exporters
* @description A Spring bean, which is based on RemoteInvocationSerializingExporter,
* initializes an endpoint that uses ObjectInputStream to deserialize
* incoming data. In the worst case, that may lead to remote code execution.
* @kind problem
* @problem.severity error
* @precision high
* @id java/unsafe-deserialization-spring-exporter-in-configuration-class
* @tags security
* experimental
* external/cwe/cwe-502
*/
import java
deprecated import UnsafeSpringExporterLib
/**
* Holds if `type` is a Spring configuration that declares beans.
*/
private predicate isConfiguration(RefType type) {
type.hasAnnotation("org.springframework.context.annotation", "Configuration") or
isConfigurationAnnotation(type.getAnAnnotation())
}
/**
* Holds if `annotation` is a Java annotations that declares a Spring configuration.
*/
private predicate isConfigurationAnnotation(Annotation annotation) {
isConfiguration(annotation.getType()) or
isConfigurationAnnotation(annotation.getType().getAnAnnotation())
}
/**
* A method that initializes a unsafe bean based on `RemoteInvocationSerializingExporter`.
*/
deprecated private class UnsafeBeanInitMethod extends Method {
string identifier;
UnsafeBeanInitMethod() {
isRemoteInvocationSerializingExporter(this.getReturnType()) and
isConfiguration(this.getDeclaringType()) and
exists(Annotation a | this.getAnAnnotation() = a |
a.getType().hasQualifiedName("org.springframework.context.annotation", "Bean") and
if a.getValue("name") instanceof StringLiteral
then identifier = a.getValue("name").(StringLiteral).getValue()
else identifier = this.getName()
)
}
/**
* Gets this bean's name if given by the `Bean` annotation, or this method's identifier otherwise.
*/
string getBeanIdentifier() { result = identifier }
}
deprecated query predicate problems(UnsafeBeanInitMethod method, string message) {
message = "Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'."
}