Skip to content

Java: add extra sink for java/unsafe-deserialization #20025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 11, 2025
Merged

Java: add extra sink for java/unsafe-deserialization #20025

merged 4 commits into from
Jul 11, 2025

Conversation

owen-mc
Copy link
Contributor

@owen-mc owen-mc commented Jul 11, 2025

The qualifiers of a calls to readObject on any classes that implement java.io.ObjectInput are now recognised as sinks for java/unsafe-deserialization. Previously this was only the case for classes which extend java.io.ObjectInputStream.

@Copilot Copilot AI review requested due to automatic review settings July 11, 2025 10:09
@owen-mc owen-mc requested a review from a team as a code owner July 11, 2025 10:09
Copilot
Copilot AI reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the java/unsafe-deserialization query by expanding the recognition of deserialization sinks to include calls to readObject on any classes implementing java.io.ObjectInput, not just subclasses of java.io.ObjectInputStream. This provides broader coverage for detecting unsafe deserialization patterns.

  • Added support for detecting unsafe deserialization through ObjectInput interface implementations
  • Refactored the code to separate readObject and readUnshared method handling
  • Added comprehensive test coverage for the new functionality

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
java/ql/lib/semmle/code/java/JDK.qll Added TypeObjectInput class for java.io.ObjectInput interface
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll Refactored to detect readObject calls on ObjectInput implementations and separated readUnshared handling
java/ql/test/query-tests/security/CWE-502/com/example/MyObjectInput.java Test class implementing ObjectInput interface for validation
java/ql/test/query-tests/security/CWE-502/A.java Updated test cases to include new deserialization scenarios
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ext.yml Added source models for test data flow
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected Updated expected results reflecting new detections
java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md Documentation of the enhancement

jcogs33
jcogs33 approved these changes Jul 11, 2025
View reviewed changes
Copy link
Contributor

@jcogs33 jcogs33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable.

@owen-mc owen-mc merged commit 03e8865 into github:main Jul 11, 2025
17 checks passed
@owen-mc owen-mc deleted the java/unsafe-deserialization branch July 11, 2025 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@jcogs33 jcogs33 jcogs33 approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@owen-mc @jcogs33
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy