从Java反序列化漏洞题看CodeQL数据流

找到可以序列化的类

挖掘反序列化漏洞，首先得找到入口。可以反序列化的类首先肯定是实现了接口 Serializable，其次会有一个字段 serialVersionUID，所以我们可以从找字段或者找实现接口 Serializable 入手进行代码分析。

1. TypeSerializable 类，在JDK中声明

2. instanceof 断言

3. fromSource 谓词判断来着项目代码排除JDK自带

4. getASupertype 递归，父类类型

<pre class="prettyprint hljs gradle" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, &quot;Courier New&quot;, monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import java /*找到可以序列化类，实现了Serializable接口 */ from Class cl where     cl.getASupertype() instanceof  TypeSerializable     /* 递归判断类是不是实现Serializable接口*/     and     cl.fromSource()     /* 限制来源 */ select cl 
/* 查询语句 */
</pre>

点击查询出来的结果可以看到对应的查询结果源码

找User类实例化代码

使用 RefType.hasQualifiedName(string packageName, string className) 来识别具有给定包名和类名的类，这里使用一个类继承 RefType ，使代码可读性更高点。例如下面两端QL代码是等效的：

<pre class="prettyprint hljs nginx" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, &quot;Courier New&quot;, monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import javafrom RefType rwhere r.hasQualifiedName("com.summersec.shiroctf.bean", "User")select r</pre>

<pre class="prettyprint hljs scala" style="padding: 0.5em; font-family: Menlo, Monaco, Consolas, &quot;Courier New&quot;, monospace; color: rgb(68, 68, 68); border-radius: 4px; display: block; margin: 0px 0px 1.5em; font-size: 14px; line-height: 1.5em; word-break: break-all; overflow-wrap: break-word; white-space: pre; background-color: rgb(246, 246, 246); border: none; overflow-x: auto; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial;">import java /* 找到实例化User的类 */ class MyUser extends RefType{     MyUser(){         this.hasQualifiedName("com.summersec.shiroctf.bean", "User")     } } from ClassInstanceExpr clie where     clie.getType() instanceof MyUser 
select clie
</pre>

可以发现在 IndexController 类59行处实例化 User 类。

IndexController ：

<pre class="prettyprint hlj