Module UnsafeDeserializationQuery
Provides classes and predicates for finding deserialization vulnerabilities.
Import path
import semmle.code.java.security.UnsafeDeserializationQuery
Imports
FlowSources |
Provides classes representing various flow sources for taint tracking. |
Predicates
getASafeFlexjsonUseCall |
Gets a safe usage of the |
isSafeFlexjsonDeserializer |
Holds if |
looksLikeResolveClassStep |
Holds if |
resolveClassStep |
Holds if |
unsafeDeserialization |
Holds if |
Classes
EnableJacksonDefaultTypingConfig |
DEPRECATED: Use |
SafeObjectMapperConfig |
DEPRECATED: Use |
UnsafeDeserializationConfig |
DEPRECATED: Use |
UnsafeDeserializationSink |
A sink for unsafe deserialization. |
UnsafeTypeConfig |
DEPRECATED: Use |
Modules
SafeObjectMapperConfig |
Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls. |
UnsafeTypeConfig |
Tracks flow from a remote source to a type descriptor (e.g. a |
Aliases
EnableJacksonDefaultTypingFlow |
Tracks flow from |
SafeObjectMapperFlow |
Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call, including across builder method calls. |
UnsafeDeserializationFlow |
Constructs a global taint tracking computation. |
UnsafeTypeFlow |
Tracks flow from a remote source to a type descriptor (e.g. a |