Documentation UnsafeDeserializationQuery

egregius313 · egregius313 · commit cf7aa2e4208e · 2023-03-29T22:33:10.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -534,6 +534,12 @@ deprecated class SafeObjectMapperConfig extends DataFlow2::Configuration {
   }
 }
 
+/**
+ * Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call,
+ * including across builder method calls.
+ *
+ * Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.
+ */
 module SafeObjectMapperConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof SetPolymorphicTypeValidatorSource }
 

Original file line number	Diff line number	Diff line change
`@@ -534,6 +534,12 @@ deprecated class SafeObjectMapperConfig extends DataFlow2::Configuration {`
`534`	`534`	`}`
`535`	`535`	`}`
`536`	`536`
	`537`	`+/**`
	`538`	`+ * Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call,`
	`539`	`+ * including across builder method calls.`
	`540`	`+ *`
	`541`	`+ * Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.`
	`542`	`+ */`
`537`	`543`	`module SafeObjectMapperConfig implements DataFlow::ConfigSig {`
`538`	`544`	`predicate isSource(DataFlow::Node src) { src instanceof SetPolymorphicTypeValidatorSource }`
`539`	`545`