From 1b3516ab94d18449687e2ff5466c4472253bd167 Mon Sep 17 00:00:00 2001 From: Artem Smotrakov Date: Tue, 13 Jul 2021 14:53:45 +0200 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Chris Smowton --- .../src/semmle/code/java/security/UnsafeDeserialization.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll index 9cdcbca2723..127d11ee1f3 100644 --- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll +++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll @@ -78,7 +78,7 @@ private class ObjectMapperReadSink extends DataFlow::ExprNode { private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode { SetPolymorphicTypeValidatorSource() { - exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() | + exists(MethodAccess ma, Method m | m = ma.getMethod() | ( m.getDeclaringType() instanceof ObjectMapper and m.hasName("setPolymorphicTypeValidator") @@ -86,7 +86,7 @@ private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode { m.getDeclaringType() instanceof MapperBuilder and m.hasName("polymorphicTypeValidator") ) and - this.asExpr() = q + this.asExpr() = ma.getQualifier() ) } } @@ -196,7 +196,7 @@ private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration } /** - * Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call, + * Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call, * including across builder method calls. * * Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.