Java: Unsafe deserialization with Jackson

[artem-smotrakov]

Deserialization of untrusted data with Jackson is known to be dangerous:

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

I'd like to propose to add sinks for Jackson to UnsafeDeserialization.ql:

• Added sinks for ObjectMapper.
• Checked if polymorphic typing is enabled by ObjectMapper.enableDefaultTyping() call.
• Checked if polymorphic typing is enabled by JsonTypeInfo annotation.
• Checked if an attacker can control both data and type of deserialized object.

See https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

There are multiples CVEs for deserialization gadgets for Jackson Databind

https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html

Those CVEs create quite a lot of noise because many applications don't use polymorphic typing. The query would help check if applications are really affected by such CVEs. On the other hand, if an application actually turns on polymorphic typing, and deserializes data from remote peers, that would be a significant security risk that can be identified by this query.

The changeset is quite big and the query is in the supported query set. Would it be better to create a separate experimental query instead?

I'm going to add tests and update docs once we know whether this should be part of the supported query or a separate one. Until the questions above gets an answer, I'd like to keep this pull request in draft mode but earlier feedback is of course very welcome.

Results:

• The query detects CVE-2016-8749 in Apache Camel 2.16.4.

[smowton]

Looks sensible to me. I've suggested removing the getAnAccess() trickery because there should be use-use flow from earlier to later uses of the same qualifier variable anyhow. Do you know of a particular case where this was necessary?

@aschackmull this will need your review as not targeting experimental

[artem-smotrakov]

@aschackmull this will need your review as not targeting experimental

@smowton @aschackmull As I mentioned in the description, I am not sure whether this should go to UnsafeDeserialization.ql or to a separate experimental query. Please let me know what would be the best option.

[smowton]

I favour inclusion in the existing query but the final call is @aschackmull

[smowton]

Also what of the getAnAccess() stuff, do you know of a case that makes this necessary for some reason? Or does the query work just as well without thanks to ordinary dataflow?

Either way you should add a change-note.

[artem-smotrakov]

Also what of the getAnAccess() stuff, do you know of a case that makes this necessary for some reason? Or does the query work just as well without thanks to ordinary dataflow?

I added the getAnAccess() stuff because the dataflow configs didn't work in some cases. I noticed that other configs in UnsafeDeserialization.qll cast qualifiers to VarAccess. That helped but I didn't really understand why. That would be interesting to look into it now but I can't reproduce that issue anymore. I've removed the getAnAccess() stuff. I wonder why SafeXStream and SafeKryo use getAnAccess(). Maybe it is not necessary anymore either.

Either way you should add a change-note.

I've added a change note. I've never done it before, so I used https://github.com/github/codeql/blob/main/java/change-notes/2020-10-07-fastjson-deserialization-sink.md as an example.

[smowton]

There are quite a few additional taint steps being introduced, which aren't easy for me to see the purpose of without an example. Could you write down a short example for each that uses one of the particular new steps?

In some cases these examples might be useful in the relevant qldoc too; in others they might just be to help me review.

[smowton]

Suggested change

[smowton]

Every class here: either make private or add qldoc

[smowton]

Suggested change

	class JacksonType extends RefType {
	class JacksonTypeDescriptorType extends RefType {

Existing name suggests any type in the com.fasterxml.jackson namespace

[smowton]

Suggested change

	class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {
	class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {

Less similar to existing class EnableJacksonDefaultTyping

[smowton]

Suggested change

	exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
	exists(MethodAccess ma, Method m | m = ma.getMethod() |

Inline the one use of ma.getQualifier()

[smowton]

Could you give an end-to-end example that these steps are designed to address?

[artem-smotrakov]

ObjectMapper may be created by JsonMapper.Builder that extends MapperBuilder and uses fluent API. In other words, its methods return this:

https://fasterxml.github.io/jackson-databind/javadoc/2.11/com/fasterxml/jackson/databind/cfg/MapperBuilder.html

JsonMapper$Builder has quite a lot of methods. Therefore, I thought that it maybe better to cover all methods that return the builder instead of listing all the available methods. Furthermore, the list should be updated once new methods are added.

Here is an example:

    private static <T> T deserialize(/* tainted */ String string, Class<T> clazz) throws IOException {
        PolymorphicTypeValidator ptv =
                BasicPolymorphicTypeValidator.builder()
                        .allowIfSubType("com.test.safe")
                        .build();

         // use a builder to create an ObjectMapper
        ObjectMapper mapper = JsonMapper.builder()
                .polymorphicTypeValidator(ptv) // sanitizer
                .build();

        mapper.enableDefaultTyping();

        return mapper.readValue(string, clazz); // deserialization happens here
    }

Builders need to be covered in the query because they have polymorphicTypeValidator() that is a sanitizer.

[smowton]

Could you give an end-to-end example that these steps are designed to address?

[artem-smotrakov]

ObjectMapper.readValue() and other similar methods take a serialized object and a target object type. It is dangerous when an attacker can control both the data and the type. That's what happened in CVE-2016-8749.

The type maybe either Class, JavaType or TypeReference. This predicate checks if a method seems to take a class name as a string and convert it to one of these classes. Here is an example:

private static Object deserialize(/* tainted */ String string, /* tainted */ String className) throws IOException {
    ObjectMapper mapper = new ObjectMapper();
    mapper.enableDefaultTyping();
    return mapper.readValue(string, resolveType(className));
}

private static Class resolveType(String className) {
    return Class.forName(className);
}

Here, resolveType() is simple -- it just calls Class.forName(). But its logic might be more complex that could potentially result it false-negatives. The predicate looks for methods like resolveType() assuming that they create a type descriptor that is known to Jackson. Of course, that may result in false-positives. I thought that should be acceptable trade-off because deserialization vulnerabilities are quite dangerous.

[smowton]

Could you give an end-to-end example that these steps are designed to address?

[artem-smotrakov]

ObjectMapper has multiple readValue() and readValues() methods that take a JsonParser. In turn, JsonParser takes JSON that may come from untrusted sources.

This predicate defines steps that create a JsonParser. Here is an example:

    private static <T> List<T> deserialize(/* tainted */ String string, Class<T> clazz)
            throws IOException {

        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();
        JsonParser parser = new JsonFactory().createParser(string);
        return mapper.readValues(parser, clazz).readAll();
    }

[smowton]

Could the createParser be a sink, or could we still encounter sanitisers on the road to readValues?

[artem-smotrakov]

Could the createParser be a sink,

I don't think so. JsonParser parses JSON and returns primitive values, strings, JSON tokens, etc. It can return a type id or descriptor but as far as I know the parser doesn't create instances of these types.

or could we still encounter sanitisers on the road to readValues?

I am aware of only two reliable sanitizers that are covered in the query. I was considering adding ObjectMapper.activateDefaultTyping() because it takes PolymorphicTypeValidator. But it turned out that in this case the validator is not always called. I reported this to the project, but they said that's expected. Please see FasterXML/jackson-databind#2524 . Therefore, I didn't add this method as a sanitizer.

[smowton]

Could you give an end-to-end example that these steps are designed to address?

[artem-smotrakov]

ObjectMapper has treeToValue() method is sink that takes a TreeNode. Raw JSON data may be converted to a TreeNode and then supplied to treeToValue(). A TreeNode can be created by ObjectMapper.readTree() or ObjectMapper.readValueAsTree() methods. Here is an example:

    private static <T> T deserialize(/* tainted */ String string, Class<T> clazz) throws IOException {
        ObjectMapper mapper = new ObjectMapper();
        mapper.enableDefaultTyping();
        TreeNode tree = mapper.readTree(string);
        return mapper.treeToValue(tree, clazz);
    }

[artem-smotrakov]

There are quite a few additional taint steps being introduced, which aren't easy for me to see the purpose of without an example. Could you write down a short example for each that uses one of the particular new steps?

In some cases these examples might be useful in the relevant qldoc too; in others they might just be to help me review.

@smowton Sure, I've added examples and some comments. Please let me know if you have questions. You can find complete examples in https://github.com/artem-smotrakov/ql-fun/tree/master/src/main/java/com/gypsyengineer/ql/fun/jackson

I noticed that UnsafeDeserialization.qhelp has only one example for ObjectInputStream but the query covers a lot of libraries. I was not sure those examples should be added to the qhelp file. I can add them though.

Thanks for the review. I've addressed other comments as well.

[artem-smotrakov]

There were several conflicts in the stub lib. I rebased the branch and had to force-push.

[smowton]

OK, this makes sense. The String -> Class heuristic is rather dubious; could you give an example of a Class.forName replacement that we found too difficult to model, and which led you to this overapproximation?

[smowton]

Suggested change

	private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {
	/**
	* Tracks flow from qualifiers to `enableDefaultTyping(...)` calls to a subsequent `readValue` or similar call.
	*
	* Such a `readValue` call could deserialize an arbitrary user-specified class.
	*/
	private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {

[smowton]

Suggested change

	private class SafeObjectMapperConfig extends DataFlow2::Configuration {
	/**
	* Tracks flow from qualifiers to `[set]PolymorphicTypeValidator(...)` calls to a subsequent `readValue` or similar call, including across builder method calls.
	*
	* Such a `readValue` call is safe because validation will likely prevent instantiating unexpected types.
	*/
	private class SafeObjectMapperConfig extends DataFlow2::Configuration {

[smowton]

Suggested change

	private class UnsafeTypeConfig extends TaintTracking2::Configuration {
	/**
	* Tracks flow from a remote source to a type descriptor (e.g. a `java.lang.Class` instance) passed to a Jackson deserialization method.
	*
	* If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
	*/
	private class UnsafeTypeConfig extends TaintTracking2::Configuration {

[smowton]

Suggested change

	* Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
	* Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
	*
	* Note any method that returns a `Class` or similar is assumed to propagate taint from all
	* of its arguments, so methods that accept user-controlled data but sanitize it or use it for some
	* completely different purpose before returning a `Class` could result in false positives.
	*/

[smowton]

Could the createParser be a sink, or could we still encounter sanitisers on the road to readValues?

[smowton]

Suggested change

	* Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson parser.
	* Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson parser.
	*
	* For example, a `createParser(userString)` call yields a `JsonParser` which becomes dangerous
	* if passed to an unsafely-configured `ObjectMapper`'s `readValue` method.

[smowton]

Suggested change

	* Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson `TreeNode`.
	* Holds if `fromNode` to `toNode` is a dataflow step that creates a Jackson `TreeNode`.
	*
	* These are parse trees of user-supplied JSON, which may lead to arbitrary code execution
	* if passed to an unsafely-configured `ObjectMapper`'s `treeToValue` method.

[smowton]

Add a comment here giving an example of a sink method

[artem-smotrakov]

OK, this makes sense. The String -> Class heuristic is rather dubious; could you give an example of a Class.forName replacement that we found too difficult to model, and which led you to this overapproximation?

For example, you can look at how Apache Camel resolves classes

https://github.com/apache/camel/blob/881e5099f94316d4a66ffbff0a3e6915829d49d7/components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java#L170

Camel has an interface ClassResolver and one of the implementations is DefaultClassResolver. Its resolveClass() method in the end calls ObjectHelper.loadClass() with a selected classloader and then casts Class<?> to Class<T> using CastUtils.

https://github.com/apache/camel/blob/80b92e3624ae5db59a1a24a441f1b10b39eaa1a5/core/camel-base-engine/src/main/java/org/apache/camel/impl/engine/DefaultClassResolver.java#L54

For some well-known or primitive classes, ObjectHelper.loadClass() just uses an if-else block to map a type to a Class:

https://github.com/apache/camel/blob/80b92e3624ae5db59a1a24a441f1b10b39eaa1a5/core/camel-util/src/main/java/org/apache/camel/util/ObjectHelper.java#L423

Otherwise, doLoadClass() finally calls ClassLoader.loadClass().

Technically, we can add a dataflow config that checks whether tainted data reaches one of the methods from the standard Java library which resolve a class. Unfortunately, such a config won't detect flows when an application uses a library or just a separate utility component that resolves classes (for example, imagine that ObjectHelper were in a separate repository). Then, we'll also need to add similar dataflow configs for JavaType and TypeReference.

I agree that the current String -> Class heuristic is overapproximation. The advantages are that it simplifies the query, probably makes it a bit faster (I hope), and reduces the risk of false positives when the logic for resolving classes is complex. The cost is higher risk of false positives.

[smowton]

How about as a compromise, the rule: it's probably a class-loading function if it (a) is external (otherwise we implicitly look inside it for libraries it in turn calls), (b) takes a String, (c) returns a Class, and (d) has a likely name: something containing resolve or load or forName or...

[artem-smotrakov]

How about as a compromise, the rule: it's probably a class-loading function if it

@smowton Sounds good to me. One question though.

(a) is external (otherwise we implicitly look inside it for libraries it in turn calls),

How would you prefer to check it? Should we call external everything that don't belong to java and javax packages?

[smowton]

Checking for not exists(Callable.getBody()) is a good start. We could be more thorough re: interface types, but assuming generally an interface might be implemented by something external is ok.

[smowton]

Actually just remembered Element.fromSource which is exactly what we want here

[artem-smotrakov]

Thanks for the suggestions @smowton ! I've updated UnsafeTypeConfig.isAdditionalTaintStep() and added a test case.

[smowton]

Suggested change

	m.fromSource() and
	not m.fromSource() and

Methods that are from source should themselves call Class.forName or something else matching this heuristic

[artem-smotrakov]

I think I didn't understand what you mean by "external". I'd like this predicate to cover cases explained by the example above

#5900 (comment)

Something like the following:

    private static void deserialize(/* tainted */ String data, /* tainted */ String type) throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        mapper.readValue(data, resolveTypeImpl(type));
    }

    // this method has complex logic for resolving types
    private static JavaType resolveTypeImpl(String type) throws Exception {
        ...
    }

I'd like the predicate to catch resolveTypeImpl() if it is in application's code, not only in an external library. Now, I'd rather drop m.fromSource() check. I've also updated the query to explicitly cover Class.forName() and ClassLoader.load() calls.

[smowton]

Over to @aschackmull as this is targeting the main query pack

[artem-smotrakov]

I resolved the merge conflicts, and also removed fromSource() check from looksLikeResolveClassStep(), please see #5900 (comment)

[artem-smotrakov]

@aschackmull I've updated the qldoc and tried to make imports as private as possible. Unfortunately, the docs don't say much about private import

https://codeql.github.com/docs/ql-language-reference/annotations/#private

I am wondering what kind of benefits private imports have besides limiting scope. Does it speed the query up, or maybe reduce memory consumption?

[aschackmull]

I am wondering what kind of benefits private imports have besides limiting scope. Does it speed the query up, or maybe reduce memory consumption?

It's primarily just to limit scope and help maintainability. I guess it might affect compilation speed slightly, but that's just speculation on my part.

[aschackmull]

Should this line be deleted? The predicate hasFieldWithJsonTypeAnnotation already includes the .getAField() bit, so this line means that you allow jumping from a type to one of its fields exactly once or twice, which seems odd and inconsistent with the qldoc.

[aschackmull]

Hmm, it looks like the tests actually use this case? But then the restriction to only one or two .getAField() still seem arbitrary. Should it instead be the following?

Suggested change

	hasFieldWithJsonTypeAnnotation(type.getAField().getType())
	hasJsonTypeInfoAnnotation(type.getAField().getType())

[artem-smotrakov]

Yes, you're right. I've updated the query.

[aschackmull]

This doesn't quite do what you want, since regexpMatch matches the entire receiver.

[artem-smotrakov]

Yup, I'll update the regex. Thanks!

[aschackmull]

I've looked through everything now, still a few inline comments, otherwise I think this is looking good.

[artem-smotrakov]

I've looked through everything now, still a few inline comments, otherwise I think this is looking good.

@aschackmull I've addressed your comments. Thanks!