From c3a2ae2943d6aed65cb260a3c7e8e5140e88e9ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Fri, 28 Jul 2023 12:12:07 +0200
Subject: [PATCH] Account for public fields/setters

---
 .../code/java/frameworks/struts/Struts2Serializability.qll | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll b/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
index 8768b61cec2..cb8b876be7a 100644
--- a/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
@@ -36,7 +36,12 @@ private class Struts2ActionField extends DeserializableField {
     exists(Struts2DeserializableType superType |
       superType = this.getDeclaringType().getAnAncestor() and
       not superType instanceof TypeObject and
-      superType.fromSource()
+      superType.fromSource() and
+      (
+        this.isPublic()
+        or
+        exists(SetterMethod setter | setter.getField() = this and setter.isPublic())
+      )
     )
   }
 }