Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upJava : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc #119
Labels
Comments
|
Some problems occurred on my side, new prs were added, the problem is the same. |
|
Your submission is now in status SecLab review. For information, the evaluation workflow is the following: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE
There is no CVE for this.
Report
This query adds Fastjson deserialization sinks.
It has been added to CWE-502. I found that RemoteFlowSource cannot be supported in the test: (1) SpringMVC directly submits parameters; (2) SpringMVC does routing access through Mapping annotations, and the original verification does not have this logic. I Some additions have been made here.
please check:
codeql\java\ql\src\semmle\code\java\frameworks\SpringMVC.qll
codeql\java\ql\src\semmle\code\java\dataflow\FlowSources.qll SpringMVC class
codeql\java\ql\src\semmle\code\java\security\UnsafeDeserialization.qll
codeql\java\ql\src\Security\CWE\CWE-502
Link to the PR:github/codeql#3665