Fixing problems based on CR feedback.

raulgarciamsft · raulgarciamsft · commit c52064af7894 · 2020-08-03T16:39:41.000-07:00
github#3951 (review)
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll b/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll
@@ -60,16 +60,9 @@ class SerializableClass extends Class {
 /**
  * Holds if the serializable class `c` has a property or field `m` that is of `DataSet` or `DataTable` related type
  */
-predicate isClassUnsafeXmlSerializerImplementation(SerializableClass c, Member m) {
-  exists(Property p | m = p |
-    p = c.getAProperty() and
-    p.getType() instanceof DataSetOrTableRelatedClass
-  )
-  or
-  exists(AssignableMember am | am = m |
-    (am = c.getAField() or am = c.getAMember()) and
-    am.getType() instanceof DataSetOrTableRelatedClass
-  )
+predicate isClassUnsafeXmlSerializerImplementation(SerializableClass c, AssignableMember am) {
+  am = c.getAMember() and
+  am.getType() instanceof DataSetOrTableRelatedClass
 }
 
 /**
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql b/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
@@ -12,6 +12,5 @@ import csharp
 import DataSetSerialization
 
 from UnsafeXmlReadMethodCall mc
-where exists(Method m | m.getACall() = mc)
 select mc,
   "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
