Simplified returnsRemoteInvocationSerializingExporter()

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql

@@ -30,7 +30,6 @@ private predicate isRemoteInvocationSerializingExporter(RefType type) {
  * Holds if `method` returns an object that extends `RemoteInvocationSerializingExporter`.
  */
 private predicate returnsRemoteInvocationSerializingExporter(Method method) {
-  isRemoteInvocationSerializingExporter(method.getReturnType()) or
   isRemoteInvocationSerializingExporter(method.getReturnType().(RefType).getASupertype*())
 }
 

java/ql/test/experimental/query-tests/security/CWE-502/SpringHttpInvokerUnsafeDeserialization.expected

@@ -1 +1,2 @@
-| SpringHttpInvokerUnsafeDeserialization.java:9:32:9:37 | unsafe | Unasafe deserialization in a remote service exporter in 'unsafe' method |
+| SpringHttpInvokerUnsafeDeserialization.java:10:32:10:63 | unsafeHttpInvokerServiceExporter | Unasafe deserialization in a remote service exporter in 'unsafeHttpInvokerServiceExporter' method |
+| SpringHttpInvokerUnsafeDeserialization.java:18:41:18:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unasafe deserialization in a remote service exporter in 'unsafeCustomeRemoteInvocationSerializingExporter' method |

java/ql/test/experimental/query-tests/security/CWE-502/SpringHttpInvokerUnsafeDeserialization.java

@@ -1,18 +1,24 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
+import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter;
 
 @Configuration
 public class SpringHttpInvokerUnsafeDeserialization {
 
-    @Bean(name = "/unsafe")
-    HttpInvokerServiceExporter unsafe() {
+    @Bean(name = "/unsafeHttpInvokerServiceExporter")
+    HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
         HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
         exporter.setService(new AccountServiceImpl());
         exporter.setServiceInterface(AccountService.class);
         return exporter;
     }
 
+    @Bean(name = "/unsafeCustomeRemoteInvocationSerializingExporter")
+    RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() {
+        return new CustomeRemoteInvocationSerializingExporter();
+    }
+
     HttpInvokerServiceExporter notABean() {
         HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
         exporter.setService(new AccountServiceImpl());
@@ -21,6 +27,8 @@ HttpInvokerServiceExporter notABean() {
     }
 }
 
+class CustomeRemoteInvocationSerializingExporter extends RemoteInvocationSerializingExporter {}
+
 class NotAConfiguration {
 
     @Bean(name = "/notAnEndpoint")

java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java

@@ -1,5 +1,3 @@
 package org.springframework.remoting.rmi;
 
-public abstract class RemoteInvocationSerializingExporter {
-    
-}
+public abstract class RemoteInvocationSerializingExporter {}