C#: Clarify that deserialization following a schema is safe

2026-05-14 11:19:27 +02:00 · 2026-05-08 14:06:07 +01:00
parent e2874ac252
commit 4e47f7706d
2 changed files with 18 additions and 0 deletions
--- a/Features/CWE-502/UnsafeDeserialization.qhelp
+++ b/Features/CWE-502/UnsafeDeserialization.qhelp
@@ -7,6 +7,15 @@
 <p>Deserializing an object from untrusted input may result in security problems, such
 as denial of service or remote code execution.</p>

+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
+</p>
+
 </overview>
 <recommendation>

--- a/Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp
@@ -7,6 +7,15 @@
 <p>Deserializing an object from untrusted input may result in security problems, such
 as denial of service or remote code execution.</p>

+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
+</p>
+
 </overview>
 <recommendation>