From 617ba65ef5994e285a26bc4ac0a799d37b3fdb60 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Tue, 2 Mar 2021 21:36:14 +0100
Subject: [PATCH] Improved docs for SpringHttpInvokerUnsafeDeserialization.ql

---
 .../CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp  | 8 ++++----
 .../CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp
index 49237a8500e..ffb8dddae56 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.qhelp
@@ -3,14 +3,14 @@
 
 <overview>
 <p>
-Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
+The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
 for defining remote service exporters.
 A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
 Deserializing untrusted data is easily exploitable and in many cases allows an attacker
 to execute arbitrary code.
 </p>
 <p>
-Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
+The Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
 <li>
 <code>HttpInvokerServiceExporter</code>
 </li>
@@ -24,7 +24,7 @@ using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such
 it results in remote code execution in the worst case.
 </p>
 <p>
-CVE-2016-1000027 has been assigned to this issue in Spring Framework. There is no fix for that.
+CVE-2016-1000027 has been assigned to this issue in the Spring Framework. It is regarded as a design limitation, and can be mitigated but not fixed outright.
 </p>
 </overview>
 
@@ -36,7 +36,7 @@ Instead, use other message formats for API endpoints (for example, JSON),
 but make sure that the underlying deserialization mechanism is properly configured
 so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
 consider using global deserialization filters introduced by JEP 290.
-In general, avoid deserialization of untrusted data.
+In general, avoid using Java's built-in deserialization methods on untrusted data.
 </p>
 </recommendation>
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql
index df01ae478cc..54e8272575b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql
@@ -52,4 +52,4 @@ private predicate createsRemoteInvocationSerializingExporterBean(Method method)
 from Method method
 where createsRemoteInvocationSerializingExporterBean(method)
 select method,
-  "Unasafe deserialization in a remote service exporter in '" + method.getName() + "' method"
+  "Unsafe deserialization in a remote service exporter in '" + method.getName() + "' method"