Merge branch 'main' into post-release-prep/codeql-cli-2.20.1

2026-04-26 09:15:12 +02:00 · 2025-01-08 16:28:23 +00:00
parent fb20f6ca63 5cc34a16d1
commit 0f8f5d2793
211 changed files with 22830 additions and 10264 deletions
--- a/Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql
+++ b/Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql
@@ -24,6 +24,16 @@ where
    c.hasNoParameters() and
    not c.isPrivate()
  ) and
+  // Assume if an object replaces itself prior to serialization,
+  // then it is unlikely to be directly deserialized.
+  // That means it won't need to comply with default serialization rules,
+  // such as non-serializable super-classes having a no-argument constructor.
+  not exists(Method m |
+    m = serial.getAMethod() and
+    m.hasName("writeReplace") and
+    m.getReturnType() instanceof TypeObject and
+    m.hasNoParameters()
+  ) and
  serial.fromSource()
 select serial,
  "This class is serializable, but its non-serializable " +
--- a/java/ql/src/change-notes/2025-01-06-write-replace-serializable.md
+++ b/java/ql/src/change-notes/2025-01-06-write-replace-serializable.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Classes that define a `writeReplace` method are no longer flagged by the `java/missing-no-arg-constructor-on-serializable` query on the assumption they are unlikely to be deserialized using the default algorithm.
--- a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.expected
+++ b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.expected
@@ -0,0 +1 @@
+| Test.java:12:7:12:7 | A | This class is serializable, but its non-serializable super-class $@ does not declare a no-argument constructor. | Test.java:4:7:4:21 | NonSerializable | NonSerializable |
--- a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref
+++ b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref
@@ -0,0 +1 @@
+Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql
--- a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java
+++ b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java
@@ -0,0 +1,24 @@
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+
+class NonSerializable { 
+
+  // Has no default constructor
+  public NonSerializable(int x) { }
+
+}
+
+// BAD: Serializable but its parent cannot be instantiated
+class A extends NonSerializable implements Serializable { 
+  public A() { super(1); }
+}
+
+// GOOD: writeReplaces itself, so unlikely to be deserialized
+// according to default rules.
+class B extends NonSerializable implements Serializable { 
+  public B() { super(2); }
+
+  public Object writeReplace() throws ObjectStreamException {
+    return null;
+  }
+}
				`@@ -0,0 +1 @@`
				`\| Test.java:12:7:12:7 \| A \| This class is serializable, but its non-serializable super-class $@ does not declare a no-argument constructor. \| Test.java:4:7:4:21 \| NonSerializable \| NonSerializable \|`
				`@@ -0,0 +1 @@`
				`Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql`