hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20018 from owen-mc/java/snakeyaml-safe-unsafe-deserialization

Browse Source 
Java: Update qhelp: SnakeYaml is safe from version 2.0
This commit is contained in:
Owen Mansel-Chan
2025-07-21 12:22:36 +01:00
committed by GitHub
parent d5cdfc673e 9ef22fff8e
commit 472a6b5fe1
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
View File

@@ -64,8 +64,8 @@ Recommendations specific to particular frameworks supported by this query:
<p></p>
<p><b>SnakeYAML</b> - <code>org.yaml:snakeyaml</code></p>
<ul>
<li><b>Secure by Default</b>: No</li>
<li><b>Recommendation</b>: Pass an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> to <code>org.yaml.snakeyaml.Yaml</code>'s constructor before using it to deserialize untrusted data.</li>
<li><b>Secure by Default</b>: As of version 2.0.</li>
<li><b>Recommendation</b>: For versions before 2.0, pass an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> to <code>org.yaml.snakeyaml.Yaml</code>'s constructor before using it to deserialize untrusted data.</li>
</ul>
<p></p>
<p><b>XML Decoder</b> - <code>Standard Java Library</code></p>
@@ -121,7 +121,7 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
</li>
<li>
SnakeYaml documentation on deserialization:
<a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
<a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a> (not updated for new behaviour in version 2.0).
</li>
<li>
Hessian deserialization and related gadget chains: