Removed fromSource() check in looksLikeResolveClassStep()

2025-12-21 19:26:31 +01:00 · 2021-06-23 10:48:50 +02:00
parent c98f1a479e
commit 09ae779b21
63 changed files with 2 additions and 198 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -76,7 +76,6 @@ SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
 <li>
-<<<<<<< HEAD
 Hessian deserialization and related gadget chains:
 <a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
 </li>
@@ -91,7 +90,8 @@ Remote code execution in JYaml library:
 <li>
 JsonIO deserialization vulnerabilities:
 <a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
-=======
+</li>
+<li>
 Research by Moritz Bechler:
 <a href="https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true">Java Unmarshaller Security - Turning your data into code execution</a>
 </li>
@@ -99,7 +99,6 @@ Research by Moritz Bechler:
 Blog posts by the developer of Jackson libraries:
 <a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
 <a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
->>>>>>> Added Jackson to UnsafeDeserialization.qhelp
 </li>
 </references>