com.liferay.source.formatter.checks.JavaDeserializationSecurityCheck Maven / Gradle / Ivy
/**
* Copyright (c) 2000-present Liferay, Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This library is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*/
package com.liferay.source.formatter.checks;
import com.liferay.portal.kernel.util.StringBundler;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* @author Hugo Huijser
*/
public class JavaDeserializationSecurityCheck extends BaseFileCheck {
@Override
protected String doProcess(
String fileName, String absolutePath, String content) {
if (fileName.contains("/test/") ||
fileName.contains("/testIntegration/")) {
return content;
}
_checkDeserializationSecurity(fileName, content, absolutePath);
return content;
}
private void _checkDeserializationSecurity(
String fileName, String content, String absolutePath) {
for (Pattern vulnerabilityPattern :
_javaSerializationVulnerabilityPatterns) {
Matcher matcher = vulnerabilityPattern.matcher(content);
if (!matcher.matches()) {
continue;
}
StringBundler sb = new StringBundler(3);
if (isExcludedPath(RUN_OUTSIDE_PORTAL_EXCLUDES, absolutePath)) {
sb.append("Possible Java Serialization Remote Code Execution ");
sb.append("vulnerability using ");
}
else {
sb.append("Use ProtectedObjectInputStream instead of ");
}
sb.append(matcher.group(1));
addMessage(fileName, sb.toString());
}
}
private final Pattern[] _javaSerializationVulnerabilityPatterns = {
Pattern.compile(
".*(new [a-z\\.\\s]*ObjectInputStream).*", Pattern.DOTALL),
Pattern.compile(
".*(extends [a-z\\.\\s]*ObjectInputStream).*", Pattern.DOTALL)
};
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy