Module UnsafeDeserializationQuery

Provides classes representing various flow sources for taint tracking.

Gets a safe usage of the use method of Flexjson, which could be: use(String, …) where the path is null or use(ObjectFactory, String…) where the string varargs (or array) contains null

Holds if e is a safely configured Flexjson JSONDeserializer.

Holds if fromNode to toNode is a dataflow step that looks like resolving a class. A method probably resolves a class if it takes a string, returns a type descriptor, and its name contains “resolve”, “load”, etc.

Holds if fromNode to toNode is a dataflow step that resolves a class.

Holds if ma is a call that deserializes data from sink.

DEPRECATED: Use EnableJacksonDefaultTypingFlow instead.

DEPRECATED: Use SafeObjectMapperFlow instead.

DEPRECATED: Use UnsafeDeserializationFlow instead.

A sink for unsafe deserialization.

DEPRECATED: Use UnsafeTypeFlow instead.

Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls.

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.

Tracks flow from enableDefaultTyping calls to a subsequent Jackson deserialization method call.

Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls.

Constructs a global taint tracking computation.

Tracks flow from a remote source to a type descriptor (e.g. a java.lang.Class instance) passed to a deserialization method.