Update tests for server-dangerous-object-deserialization rule

I'm making a change to the Semgrep Pro Engine which will correctly model the fact that `java.lang.Object` is at the top of any inheritance hierarchy in Java. As such, the pattern `Object $X` will match any object type, including the `String` types previously used in the tests here. I'm removing those types so that this test has the same behavior in OSS and Pro. In general, we do want the Pro Engine, when presented with a pattern `(Foo $X)`, to also match any subtypes of `Foo`. According to Pieter, this is desired behavior for this rule. If that turns out to be incorrect, we could use `metavariable-regex` to match only parameters that take exactly `Object`, instead of parameters that take any subtype of `Object`.
semgrep · Oct 2, 2023 · fa78e8a · fa78e8a
1 parent e81f323
commit fa78e8a
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/java/rmi/security/server-dangerous-object-deserialization.java b/java/rmi/security/server-dangerous-object-deserialization.java
@@ -10,15 +10,15 @@
 
 // ruleid:server-dangerous-object-deserialization
 public interface IBSidesService extends Remote {
-   boolean registerTicket(String ticketID) throws RemoteException;
-   void vistTalk(String talkname) throws RemoteException;
+   boolean registerTicket(int ticketID) throws RemoteException;
+   void vistTalk(long talkID) throws RemoteException;
    void poke(Object attende) throws RemoteException;
 }
 
 // ok:server-dangerous-object-deserialization
 public interface IBSidesServiceOK extends Remote {
-   boolean registerTicket(String ticketID) throws RemoteException;
-   void vistTalk(String talkname) throws RemoteException;
+   boolean registerTicket(int ticketID) throws RemoteException;
+   void vistTalk(long talkID) throws RemoteException;
    void poke(int attende) throws RemoteException;
 }