From 3b4357792bdb194e31918fbd007e366a43aac34b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Wed, 10 Feb 2021 12:21:48 +0100
Subject: [PATCH] Remove sanitizing condition which does not prevent
 vulnerability.

---
 .../ql/src/semmle/code/java/frameworks/SnakeYaml.qll | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
index 5c277b7200b..04b3be0a3dc 100644
--- a/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
+++ b/java/ql/src/semmle/code/java/frameworks/SnakeYaml.qll
@@ -7,13 +7,6 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.dataflow.DataFlow3
 
-/**
- * The class `org.yaml.snakeyaml.constructor.Constructor`.
- */
-class SnakeYamlConstructor extends RefType {
-  SnakeYamlConstructor() { this.hasQualifiedName("org.yaml.snakeyaml.constructor", "Constructor") }
-}
-
 /**
  * The class `org.yaml.snakeyaml.constructor.SafeConstructor`.
  */
@@ -24,14 +17,11 @@ class SnakeYamlSafeConstructor extends RefType {
 }
 
 /**
- * An instance of `SafeConstructor` or a `Constructor` that only allows the type that is passed into its argument.
+ * An instance of `SafeConstructor`
  */
 class SafeSnakeYamlConstruction extends ClassInstanceExpr {
   SafeSnakeYamlConstruction() {
     this.getConstructedType() instanceof SnakeYamlSafeConstructor
-    or
-    this.getConstructedType() instanceof SnakeYamlConstructor and
-    this.getNumArgument() > 0
   }
 }