From 006d77ffdd49dc424d029d81f41de0f3ac4107f5 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 11 Jul 2025 06:13:01 +0100
Subject: [PATCH] Refactor QL to make type check more concise

---
 .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
index e10c6cebaf6..541942c6036 100644
--- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -149,10 +149,7 @@ predicate unsafeDeserialization(MethodCall ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
     sink = ma.getQualifier() and
-    not exists(DataFlow::ExprNode node |
-      node.getExpr() = sink and
-      node.getTypeBound() instanceof SafeObjectInputStreamType
-    )
+    not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
     or
     m instanceof XmlDecoderReadObjectMethod and
     sink = ma.getQualifier()