mirror of
https://github.com/github/codeql.git
synced 2026-06-29 00:27:05 +02:00
Use MaD models for unsafe deserialization sinks when possible
Many of the unsafe deserialization sinks have to stay defined in QL because they have custom logic that cannot be expressed in MaD models.
This commit is contained in:
@@ -1,20 +1,28 @@
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* Provides classes and predicates for working with the Castor framework.
|
||||
*/
|
||||
overlay[local?]
|
||||
module;
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* The class `org.exolab.castor.xml.Unmarshaller`.
|
||||
*/
|
||||
class CastorUnmarshaller extends RefType {
|
||||
deprecated class CastorUnmarshaller extends RefType {
|
||||
CastorUnmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
|
||||
}
|
||||
|
||||
/** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
|
||||
class CastorUnmarshalMethod extends Method {
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`.
|
||||
*/
|
||||
deprecated class CastorUnmarshalMethod extends Method {
|
||||
CastorUnmarshalMethod() {
|
||||
this.getDeclaringType() instanceof CastorUnmarshaller and
|
||||
this.getName() = "unmarshal"
|
||||
|
||||
@@ -17,10 +17,12 @@ class UnsafeHessianInput extends RefType {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* A AbstractHessianInput or Hessian2StreamingInput subclass readObject method.
|
||||
* This is either `AbstractHessianInput.readObject` or `Hessian2StreamingInput.readObject`.
|
||||
*/
|
||||
class UnsafeHessianInputReadObjectMethod extends Method {
|
||||
deprecated class UnsafeHessianInputReadObjectMethod extends Method {
|
||||
UnsafeHessianInputReadObjectMethod() {
|
||||
this.getDeclaringType().getAnAncestor() instanceof UnsafeHessianInput and
|
||||
this.getName() = "readObject"
|
||||
@@ -34,8 +36,12 @@ class BurlapInput extends RefType {
|
||||
BurlapInput() { this.hasQualifiedName("com.caucho.burlap.io", "BurlapInput") }
|
||||
}
|
||||
|
||||
/** A method with the name `readObject` declared in `com.caucho.burlap.io.BurlapInput`. */
|
||||
class BurlapInputReadObjectMethod extends Method {
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* A method with the name `readObject` declared in `com.caucho.burlap.io.BurlapInput`.
|
||||
*/
|
||||
deprecated class BurlapInputReadObjectMethod extends Method {
|
||||
BurlapInputReadObjectMethod() {
|
||||
this.getDeclaringType() instanceof BurlapInput and
|
||||
this.getName() = "readObject"
|
||||
|
||||
@@ -1,22 +1,28 @@
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* Provides classes and predicates for working with the JYaml framework.
|
||||
*/
|
||||
overlay[local?]
|
||||
module;
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* The class `org.ho.yaml.Yaml` or `org.ho.yaml.YamlConfig`.
|
||||
*/
|
||||
class JYamlLoader extends RefType {
|
||||
deprecated class JYamlLoader extends RefType {
|
||||
JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.
|
||||
*/
|
||||
class JYamlLoaderUnsafeLoadMethod extends Method {
|
||||
deprecated class JYamlLoaderUnsafeLoadMethod extends Method {
|
||||
JYamlLoaderUnsafeLoadMethod() {
|
||||
this.getDeclaringType() instanceof JYamlLoader and
|
||||
this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
|
||||
|
||||
@@ -19,8 +19,12 @@ class JabsorbUnmarshallMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** The deserialization method `fromJSON`. */
|
||||
class JabsorbFromJsonMethod extends Method {
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* The deserialization method `fromJSON`.
|
||||
*/
|
||||
deprecated class JabsorbFromJsonMethod extends Method {
|
||||
JabsorbFromJsonMethod() {
|
||||
this.getDeclaringType().getAnAncestor() instanceof JabsorbSerializer and
|
||||
this.getName() = "fromJSON"
|
||||
|
||||
@@ -13,8 +13,12 @@ class YamlBeansReader extends RefType {
|
||||
YamlBeansReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
|
||||
}
|
||||
|
||||
/** A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`. */
|
||||
class YamlBeansReaderReadMethod extends Method {
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`.
|
||||
*/
|
||||
deprecated class YamlBeansReaderReadMethod extends Method {
|
||||
YamlBeansReaderReadMethod() {
|
||||
this.getDeclaringType() instanceof YamlBeansReader and
|
||||
this.getName() = "read"
|
||||
|
||||
@@ -16,10 +16,12 @@ class TypeApacheRandomStringUtils extends Class {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Now modeled using data extensions instead.
|
||||
*
|
||||
* The method `deserialize` in either `org.apache.commons.lang.SerializationUtils`
|
||||
* or `org.apache.commons.lang3.SerializationUtils`.
|
||||
*/
|
||||
class MethodApacheSerializationUtilsDeserialize extends Method {
|
||||
deprecated class MethodApacheSerializationUtilsDeserialize extends Method {
|
||||
MethodApacheSerializationUtilsDeserialize() {
|
||||
this.getDeclaringType()
|
||||
.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"],
|
||||
|
||||
Reference in New Issue
Block a user