From 158a75e5a13d64c6e4ede18afc8b290b6702e1d7 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Tue, 20 Jul 2021 10:14:50 +0200
Subject: [PATCH] Import UnsafeDeserializationQuery in unsafeDeserialization.ql

---
 .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 5 ++++-
 .../UnsafeDeserialization/unsafeDeserialization.ql           | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
index 64a55b91e80..fdb1821c9ce 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -121,7 +121,10 @@ private class SafeKryo extends DataFlow2::Configuration {
   }
 }
 
-private predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
+/**
+ * Holds if `ma` is a call that triggers deserialization with tainted data from `sink`.
+ */
+predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
     sink = ma.getQualifier() and
diff --git a/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
index 9433eba7f7f..0e0217a2472 100644
--- a/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
+++ b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
@@ -1,5 +1,5 @@
 import default
-import semmle.code.java.security.UnsafeDeserialization
+import semmle.code.java.security.UnsafeDeserializationQuery
 
 from Method m, MethodAccess ma
 where ma.getMethod() = m and unsafeDeserialization(ma, _)