artem-smotrakov/UnsafeRmiObject.ql

## UnsafeRmiObject.ql
private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration {
  BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" }

  override predicate isSource(DataFlow::Node source) {
    exists(ConstructorCall cc | cc = source.asExpr() |
      hasVulnerableMethod(cc.getConstructedType().getASupertype*())
    )
  }

  override predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess ma | ma.getArgument(1) = sink.asExpr() |
      ma.getMethod() instanceof BindMethod
    )
  }

  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
    exists(MethodAccess ma, Method m | m = ma.getMethod() |
      m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
      m.hasName("exportObject") and
      not m.getParameterType([2, 4]).(RefType).hasQualifiedName("java.io", "ObjectInputFilter") and
      ma.getArgument(0) = fromNode.asExpr() and
      ma = toNode.asExpr()
    )
  }
}
	private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration {
	BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" }

	override predicate isSource(DataFlow::Node source) {
	exists(ConstructorCall cc \| cc = source.asExpr() \|
	hasVulnerableMethod(cc.getConstructedType().getASupertype*())
	)
	}

	override predicate isSink(DataFlow::Node sink) {
	exists(MethodAccess ma \| ma.getArgument(1) = sink.asExpr() \|
	ma.getMethod() instanceof BindMethod
	)
	}

	override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
	exists(MethodAccess ma, Method m \| m = ma.getMethod() \|
	m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
	m.hasName("exportObject") and
	not m.getParameterType([2, 4]).(RefType).hasQualifiedName("java.io", "ObjectInputFilter") and
	ma.getArgument(0) = fromNode.asExpr() and
	ma = toNode.asExpr()
	)
	}
	}