Import UnsafeDeserializationQuery in unsafeDeserialization.ql

2026-04-29 10:45:15 +02:00 · 2021-07-20 10:14:50 +02:00
parent 47e4cf4180
commit 158a75e5a1
2 changed files with 5 additions and 2 deletions
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -121,7 +121,10 @@ private class SafeKryo extends DataFlow2::Configuration {
  }
 }

-private predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
+/**
+ * Holds if `ma` is a call that triggers deserialization with tainted data from `sink`.
+ */
+predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
  exists(Method m | m = ma.getMethod() |
    m instanceof ObjectInputStreamReadObjectMethod and
    sink = ma.getQualifier() and
--- a/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
+++ b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
@@ -1,5 +1,5 @@
 import default
-import semmle.code.java.security.UnsafeDeserialization
+import semmle.code.java.security.UnsafeDeserializationQuery

 from Method m, MethodAccess ma
 where ma.getMethod() = m and unsafeDeserialization(ma, _)