io.codemodder.codemods.harden-java-deserialization.yaml Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of core-codemods Show documentation

Codemods for fixing common errors across many Java projects

There is a newer version: 0.97.3

rules:
  - id: harden-java-deserialization
    patterns:
      - pattern-either:
          - pattern: var $OIS = new ObjectInputStream(...);
          - pattern: ObjectInputStream $OIS = new ObjectInputStream(...);
      - pattern-not-inside: |
          $RETURNTYPE $METHOD(...) {
            ...
            $OIS.setObjectInputFilter(...);
            ...
          }
      - pattern-not-inside: >
          $RETURNTYPE $METHOD(...) {
            ...
            ObjectInputFilters.enableObjectFilterIfUnprotected($OIS);
            ...
          }
      - focus-metavariable: $OIS
    message: Semgrep found a match
    languages:
      - java
    severity: WARNING