Java: convert UnsafeDeserialization test to .qlref

2026-04-30 19:26:02 +02:00 · 2025-06-23 17:21:16 +02:00
parent c4b0955045
commit 4412335223
15 changed files with 528 additions and 131 deletions
--- a/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java
+++ b/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java
@@ -29,7 +29,7 @@ public class ParcelableEntity implements Parcelable {
        public ParcelableEntity createFromParcel(Parcel parcel) {
            try {
                Class clazz = Class.forName(parcel.readString());
-                Object obj = GSON.fromJson(parcel.readString(), clazz); // $unsafeDeserialization
+                Object obj = GSON.fromJson(parcel.readString(), clazz); // $ Alert
                return new ParcelableEntity(obj);
            }
            catch (ClassNotFoundException e) {