Merge pull request #2906 from lfama/develop

Improved jackson-unsafe-deserialization rule to match more cases

java/lang/security/jackson-unsafe-deserialization.java

@@ -46,7 +46,7 @@ public static void main(String[] args) throws JsonGenerationException, JsonMappi
     public static void anotherMain(String[] args) throws JsonGenerationException, JsonMappingException, IOException {
         ObjectMapper objectMapper = new ObjectMapper();
         // Disable default typing globally
-        //objectMapper.enableDefaultTyping();
+        // objectMapper.enableDefaultTyping();
 
         try {
             // ruleid: jackson-unsafe-deserialization
@@ -70,4 +70,38 @@ public static void anotherMain2(String[] args) throws JsonGenerationException, J
         }
 
     }
+}
+
+// Additional class to test rule when ObjectMapper is created in a different
+// method
+@RestController
+public class MyController {
+    private Test variable;
+    private ObjectMapper objectMapper;
+    private Test2 variable2;
+
+    @PostConstruct
+    public void initialize() {
+        this.variable = 123;
+        objectMapper = new ObjectMapper();
+        objectMapper.enableDefaultTyping();
+        this.variable2 = 456;
+    }
+
+    @RequestMapping(path = "/", method = RequestMethod.GET)
+    public void redirectToUserInfo(HttpServletResponse response) throws IOException {
+        response.sendRedirect("/somewhere");
+    }
+
+    @RequestMapping(path = "/vulnerable", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
+    public GenericUser vulnerable(@CookieValue(name = "token", required = false) String token)
+            throws JsonParseException, JsonMappingException, IOException {
+        byte[] decoded = Base64.getDecoder().decode(token);
+        String decodedString = new String(decoded);
+        // ruleid: jackson-unsafe-deserialization
+        Car obj = objectMapper.readValue(
+                decodedString,
+                Car.class);
+        return obj;
+    }
 }

java/lang/security/jackson-unsafe-deserialization.yaml

@@ -22,6 +22,26 @@ rules:
                   metavariable: $TYPE
                   regex: (Object|Serializable|Comparable)
               - pattern: $OM.readValue($JSON, $CLASS.class);
+          - patterns:
+              - pattern-inside: |
+                  class $CLASS {
+                    ...
+                    ObjectMapper $OM;
+                    ...
+                    $INITMETHODTYPE $INITMETHOD(...) {
+                      ...
+                      $OM = new ObjectMapper();
+                      ...
+                      $OM.enableDefaultTyping();
+                      ...
+                    }
+                    ...
+                  }
+              - pattern-inside: |
+                  $METHODTYPE $METHOD(...) {
+                    ...  
+                  }
+              - pattern: $OM.readValue($JSON, ...);
     message: >-
       When using Jackson to marshall/unmarshall JSON to Java objects,
       enabling default typing is dangerous and can lead to RCE. If an attacker