quandary: Break out deserialization from endpoints into a _risk category

Reviewed By: mbouaziz

Differential Revision: D13157416

fbshipit-source-id: 6ea34dd55

infer/src/base/IssueType.ml

@@ -405,6 +405,8 @@ let untrusted_buffer_access = from_string ~enabled:false "UNTRUSTED_BUFFER_ACCES
 
 let untrusted_deserialization = from_string "UNTRUSTED_DESERIALIZATION"
 
+let untrusted_deserialization_risk = from_string "UNTRUSTED_DESERIALIZATION_RISK"
+
 let untrusted_file = from_string "UNTRUSTED_FILE"
 
 let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK"

infer/src/base/IssueType.mli

@@ -305,6 +305,8 @@ val untrusted_buffer_access : t
 
 val untrusted_deserialization : t
 
+val untrusted_deserialization_risk : t
+
 val untrusted_file : t
 
 val untrusted_file_risk : t

infer/src/quandary/JavaTrace.ml

@@ -549,10 +549,12 @@ include Trace.Make (struct
     | Endpoint _, CreateFile ->
         (* user-controlled file creation; may be vulnerable to path traversal + more *)
         Some IssueType.untrusted_file_risk
-    | ( (Endpoint _ | Intent | IntentFromURI | UserControlledString | UserControlledURI)
+    | (Intent | IntentFromURI | UserControlledString | UserControlledURI), Deserialization ->
-      , Deserialization ) ->
         (* shouldn't let anyone external control what we deserialize *)
         Some IssueType.untrusted_deserialization
+    | Endpoint _, Deserialization ->
+        (* shouldn't let anyone external control what we deserialize *)
+        Some IssueType.untrusted_deserialization_risk
     | (Endpoint _ | Intent | IntentFromURI | UserControlledString | UserControlledURI), HTML ->
         (* untrusted data flows into HTML; XSS risk *)
         Some IssueType.cross_site_scripting