Unsafe deserialization: add support for Jodd JSON library

2025-12-24 04:36:35 +01:00 · 2021-08-05 16:01:14 +01:00
parent 6471092139
commit 0b6c991ac4
12 changed files with 1294 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -15,7 +15,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson, Jabsorb and Java IO serialization through
+Jackson, Jabsorb, Jodd JSON and Java IO serialization through
 <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
@@ -105,6 +105,10 @@ Blog posts by the developer of Jackson libraries:
 Jabsorb documentation on deserialization:
 <a href="https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/">Jabsorb JSON Serializer</a>.
 </li>
+<li>
+Jodd JSON documentation on deserialization:
+<a href="https://json.jodd.org/parser">JoddJson Parser</a>.
+</li>
 </references>

 </qhelp>