Removed getAnAccess() calls for Jackson

2025-12-24 04:36:35 +01:00 · 2021-05-17 20:29:27 +02:00
parent aefd21075b
commit 24e4b68b9c
1 changed files with 3 additions and 4 deletions
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -85,7 +85,7 @@ class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
        m.getDeclaringType() instanceof MapperBuilder and
        m.hasName("polymorphicTypeValidator")
      ) and
-      this.asExpr() = [q, q.(VarAccess).getVariable().getAnAccess()]
+      this.asExpr() = q
    )
  }
 }
@@ -185,8 +185,7 @@ class EnabledJacksonDefaultTyping extends DataFlow2::Configuration {
  EnabledJacksonDefaultTyping() { this = "EnabledJacksonDefaultTyping" }

  override predicate isSource(DataFlow::Node src) {
-    any(EnableJacksonDefaultTyping ma).getQualifier().(VarAccess).getVariable().getAnAccess() =
-      src.asExpr()
+    any(EnableJacksonDefaultTyping ma).getQualifier() = src.asExpr()
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadSink }
@@ -212,7 +211,7 @@ class SafeObjectMapper extends DataFlow2::Configuration {
          .(RefType)
          .hasQualifiedName("com.fasterxml.jackson.databind.json",
            ["JsonMapper$Builder", "JsonMapper"]) and
-      fromNode.asExpr() = [q, q.(VarAccess).getVariable().getAnAccess()] and
+      fromNode.asExpr() = q and
      ma = toNode.asExpr()
    )
  }