Account for public fields/setters

Alvaro Muñoz · Alvaro Muñoz · commit c3a2ae2943d6 · 2023-07-28T12:12:07.000+02:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll b/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
@@ -36,7 +36,12 @@ private class Struts2ActionField extends DeserializableField {
     exists(Struts2DeserializableType superType |
       superType = this.getDeclaringType().getAnAncestor() and
       not superType instanceof TypeObject and
-      superType.fromSource()
+      superType.fromSource() and
+      (
+        this.isPublic()
+        or
+        exists(SetterMethod setter | setter.getField() = this and setter.isPublic())
+      )
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,12 @@ private class Struts2ActionField extends DeserializableField {`
`36`	`36`	`exists(Struts2DeserializableType superType \|`
`37`	`37`	`superType = this.getDeclaringType().getAnAncestor() and`
`38`	`38`	`not superType instanceof TypeObject and`
`39`		`- superType.fromSource()`
	`39`	`+ superType.fromSource() and`
	`40`	`+ (`
	`41`	`+ this.isPublic()`
	`42`	`+ or`
	`43`	`+ exists(SetterMethod setter \| setter.getField() = this and setter.isPublic())`
	`44`	`+ )`
`40`	`45`	`)`
`41`	`46`	`}`
`42`	`47`	`}`