private void analyzeField(Field field, JavaClass javaClass) { for (AnnotationEntry annotation : field.getAnnotationEntries()) { if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) || annotation.getAnnotationType().contains("JsonTypeInfo")) { for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) { if ("use".equals((elementValuePair.getNameString())) && VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) { bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addString(javaClass.getClassName() + " on field " + field.getName() + " of type " + field.getType() + " annotated with " + annotation.toShortString()) .addField(FieldAnnotation.fromBCELField(javaClass, field)) .addString("") ); } } } } }
@Override public void visitField(Field obj) { if (state == State.COLLECT) { Type t = obj.getType(); addType(t); } }
@Override public void visitField(Field obj) { if (state == State.COLLECT) { Type t = obj.getType(); addType(t); } }
private Type getFieldType(Field f) { Signature signature = this.getSignature(f); if(signature != null) { String typeSignature = signature.getSignature(); if(typeSignature.equals("")){ return f.getType(); } try { return GenericUtilities.getType(typeSignature); } catch (ClassCastException classCast) { return f.getType(); } } return f.getType(); }
private void analyzeField(Field field, JavaClass javaClass) { for (AnnotationEntry annotation : field.getAnnotationEntries()) { if (ANNOTATION_TYPES.contains(annotation.getAnnotationType()) || annotation.getAnnotationType().contains("JsonTypeInfo")) { for (ElementValuePair elementValuePair : annotation.getElementValuePairs()) { if ("use".equals((elementValuePair.getNameString())) && VULNERABLE_USE_NAMES.contains(elementValuePair.getValue().stringifyValue())) { bugReporter.reportBug(new BugInstance(this, DESERIALIZATION_TYPE, HIGH_PRIORITY) .addClass(javaClass) .addString(javaClass.getClassName() + " on field " + field.getName() + " of type " + field.getType() + " annotated with " + annotation.toShortString()) .addField(FieldAnnotation.fromBCELField(javaClass, field)) .addString("") ); } } } } }
variableDecl.setName(field.getName()); variableDecl.setModifiers(field.getModifiers()); variableDecl.setType(field.getType());