hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Chris Smowton <smowton@github.com>
This commit is contained in:
Artem Smotrakov
2021-07-13 14:53:45 +02:00
committed by GitHub
parent 09ae779b21
commit 1b3516ab94
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
View File

@@ -78,7 +78,7 @@ private class ObjectMapperReadSink extends DataFlow::ExprNode {
private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
SetPolymorphicTypeValidatorSource() {
exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
exists(MethodAccess ma, Method m | m = ma.getMethod() |
(
m.getDeclaringType() instanceof ObjectMapper and
m.hasName("setPolymorphicTypeValidator")
@@ -86,7 +86,7 @@ private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
m.getDeclaringType() instanceof MapperBuilder and
m.hasName("polymorphicTypeValidator")
) and
this.asExpr() = q
this.asExpr() = ma.getQualifier()
)
}
}
@@ -196,7 +196,7 @@ private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration
}
/**
* Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,
* Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,
* including across builder method calls.
*
* Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.