java.jax-rs.security.insecure-resteasy.insecure-resteasy-deserialization

profile photo of returntocorpreturntocorp
Author
5,552
Download Count*
LGPL Commons Clause
License

When a Restful webservice endpoint is configured to use wildcard mediaType {/} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-resteasy-deserialization
    message: When a Restful webservice endpoint is configured to use
      wildcard  mediaType {*/*} as a value for the @Consumes annotation, an
      attacker  could abuse the SerializableProvider by sending a HTTP Request
      with a  Content-Type of application/x-java-serialized-object. The body of
      that  request would be processed by the SerializationProvider and
      could  contain a malicious payload, which may lead to arbitrary code
      execution  when calling the $Y.getObject method.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://access.redhat.com/blogs/766093/posts/3162112
      subcategory:
        - audit
      technology:
        - jax-rs
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    pattern-either:
      - pattern: |
          @Consumes({"application/x-java-serialized-object"})
      - pattern: |
          @Consumes({"*/*"})
      - pattern: |
          @Consumes("*/*")
      - pattern: |
          @Consumes({MediaType.WILDCARD_TYPE})

Examples

insecure-resteasy.java

package unsafe.jaxrs;

import java.util.*;
import javax.ws.rs.*;
import javax.ws.rs.core.*;

@Path("/")
public class PoC_resource {
  @POST
  @Path("/concat")
  @Produces(MediaType.APPLICATION_JSON)
  // ruleid: insecure-resteasy-deserialization
  @Consumes({ "*/*" })
  public Map<String, String> doConcat(Pair pair) {
    HashMap<String, String> result = new HashMap<String, String>();
    result.put("Result", pair.getP1() + pair.getP2());

    return result;
  }

  // ruleid:default-resteasy-provider-abuse
  @POST
  @Path("/vulnerable")
  @Produces(MediaType.APPLICATION_JSON)
  public Map<String, String> doConcat(Pair pair) {
    HashMap<String, String> result = new HashMap<String, String>();
    result.put("Result", pair.getP1() + pair.getP2());

    return result;
  }

  @POST
  @Path("/count")
  @Produces(MediaType.APPLICATION_JSON)
  // ok: insecure-resteasy-deserialization
  @Consumes(MediaType.APPLICATION_JSON)
  public Map<String, Integer> doCount(ArrayList<Object> elements) {
    HashMap<String, Integer> result = new HashMap<String, Integer>();
    result.put("Result", elements.size());

    return result;
  }

  // ok: default-resteasy-provider-abuse
  @GET
  @Path("/tenantmode")
  @Produces(MediaType.TEXT_PLAIN)
  public String getTenantMode() {
    return kubernetesService.getMessage();
  }

}

@Path("/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public class PoC_resource {

  // ok: default-resteasy-provider-abuse
  @POST
  @Path("/concat")
  public Map<String, String> doConcat(Pair pair) {
    HashMap<String, String> result = new HashMap<String, String>();
    result.put("Result", pair.getP1() + pair.getP2());
    return result;
  }

}