Import UnsafeDeserializationQuery in unsafeDeserialization.ql

This commit is contained in:
Artem Smotrakov
2021-07-20 10:14:50 +02:00
parent 47e4cf4180
commit 158a75e5a1
2 changed files with 5 additions and 2 deletions

View File

@@ -121,7 +121,10 @@ private class SafeKryo extends DataFlow2::Configuration {
}
}
private predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
/**
* Holds if `ma` is a call that triggers deserialization with tainted data from `sink`.
*/
predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
exists(Method m | m = ma.getMethod() |
m instanceof ObjectInputStreamReadObjectMethod and
sink = ma.getQualifier() and