Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Missing detection of JdbcRowSetImpl in Jackson config #1

Open
amlweems opened this issue Sep 6, 2018 · 0 comments
Open

Missing detection of JdbcRowSetImpl in Jackson config #1

amlweems opened this issue Sep 6, 2018 · 0 comments

Comments

@amlweems
Copy link

amlweems commented Sep 6, 2018

It looks like gadgetinspector fails to find com/sun/rowset/JdbcRowSetImpl.setAutoCommit (which is described in the marshalsec paper) due to the fact that the getDataSourceName is not explicitly defined in JdbcRowSetImpl, but is inherited from javax/sql/rowset/BaseRowSet (which is hinted at in the inheritance map).

One other issue is that setAutoCommit accepts a boolean (instead of an L value) and should taint the first argument rather than the return value. This will fail the following check in JacksonSourceDiscovery.java:

if (method.getName().startsWith("set") && method.getDesc().matches("\\(L[^;]*;\\)V")) {
    addDiscoveredSource(new Source(method, 0));
}

I think the issue can be resolved by tainting and tracking inherited methods when creating the callgraph AND by updating JacksonSourceDiscovery.java to include the following check:

if (method.getName().startsWith("set") && Type.getArgumentTypes(method.getDesc()).length == 1) {
    addDiscoveredSource(new Source(method, 1));
}

Apologies if I'm misunderstanding something. I'm super excited about this tool and I'm interested to learn more about the inner workings.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amlweems