Apply suggestions from code review

artem-smotrakov · smowton · web-flow · commit 1b3516ab94d1 · 2021-07-13T14:53:45.000+02:00
Co-authored-by: Chris Smowton &lt;smowton@github.com&gt;
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -78,15 +78,15 @@ private class ObjectMapperReadSink extends DataFlow::ExprNode {
 
 private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
   SetPolymorphicTypeValidatorSource() {
-    exists(MethodAccess ma, Method m, Expr q | m = ma.getMethod() and q = ma.getQualifier() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
         m.getDeclaringType() instanceof ObjectMapper and
         m.hasName("setPolymorphicTypeValidator")
         or
         m.getDeclaringType() instanceof MapperBuilder and
         m.hasName("polymorphicTypeValidator")
       ) and
-      this.asExpr() = q
+      this.asExpr() = ma.getQualifier()
     )
   }
 }
@@ -196,7 +196,7 @@ private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration
 }
 
 /**
- * Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,
+ * Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,
  * including across builder method calls.
  *
  * Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.

Original file line number	Diff line number	Diff line change
`@@ -78,15 +78,15 @@ private class ObjectMapperReadSink extends DataFlow::ExprNode {`
`78`	`78`
`79`	`79`	`private class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {`
`80`	`80`	`SetPolymorphicTypeValidatorSource() {`
`81`		`- exists(MethodAccess ma, Method m, Expr q \| m = ma.getMethod() and q = ma.getQualifier() \|`
	`81`	`+ exists(MethodAccess ma, Method m \| m = ma.getMethod() \|`
`82`	`82`	`(`
`83`	`83`	`m.getDeclaringType() instanceof ObjectMapper and`
`84`	`84`	`m.hasName("setPolymorphicTypeValidator")`
`85`	`85`	`or`
`86`	`86`	`m.getDeclaringType() instanceof MapperBuilder and`
`87`	`87`	`m.hasName("polymorphicTypeValidator")`
`88`	`88`	`) and`
`89`		`- this.asExpr() = q`
	`89`	`+ this.asExpr() = ma.getQualifier()`
`90`	`90`	`)`
`91`	`91`	`}`
`92`	`92`	`}`
`@@ -196,7 +196,7 @@ private class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration`
`196`	`196`	`}`
`197`	`197`
`198`	`198`	`/**`
`199`		`- * Tracks flow from calls, which set a type validator, to a subsequent Jackson deserialization method call,`
	`199`	`+ * Tracks flow from calls which set a type validator to a subsequent Jackson deserialization method call,`
`200`	`200`	`* including across builder method calls.`
`201`	`201`	`*`
`202`	`202`	`* Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.`