CodeQL library for Java/Kotlin
codeql/java-all 1.1.2-dev (changelog, source)
Search

Module UnsafeTypeConfig

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.

If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.

Import path

import semmle.code.java.security.UnsafeDeserializationQuery

Predicates

isAdditionalFlowStep

Holds if fromNode to toNode is a dataflow step that resolves a class or at least looks like resolving a class.

isSink

Holds if sink is a relevant data flow sink.

isSource

Holds if source is a relevant data flow source.