Last active
June 17, 2019 21:51
-
-
Save conikeec/74e7ce530f16b1bbb13e44f4f5ea2c5e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // copy and paste this function in the ocular console | |
| def deserializationSemanticTemplate(untrustedParam :String, sink:String) { | |
| // #1 : Confirmed that we are using a vulnerable jackson-databind version (2.8.7) from prior json feed | |
| // #2 : Verify if ObjectMapper (serializer, deserializer) is initialized in local/global scope | |
| cpg.member.isStatic.l.foreach { s => printf("%s:%s\n", s.typeFullName, s.name) } | |
| // #3 : Verify if polymorphic type handling is enabled (local or global scope) | |
| val enableDefaultTyping = "com.fasterxml.jackson.databind.ObjectMapper.enableDefaultTyping:com.fasterxml.jackson.databind.ObjectMapper()" | |
| if(cpg.method.fullNameExact(enableDefaultTyping).caller.l.size > 0 ) | |
| { | |
| val callerName = cpg.method.fullNameExact(enableDefaultTyping).caller.fullName.l | |
| println(s"Call to $enableDefaultTyping found at $callerName") | |
| } | |
| // #4 Accepts JSON content sent by untrusted source (sending maliciously crafted JSON input to the readValue method of the ObjectMapper) | |
| val from = cpg.method.parameter.evalType(untrustedParam) | |
| val to = cpg.method.name(sink).parameter | |
| val flows = to.reachableBy(from).flows.p | |
| println(flows) | |
| } | |
| // evaulate this function to print results | |
| deserializationSemanticTemplate(".*Request","readValue") | |
| // This is a simplified representation of a semantic template. More complex conditional templates can be created to verify of conditions that quantify risk associated with a vulnerability |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment