From 4e47f7706dcea8509f6a870bbe889258c9baeb0a Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 8 May 2026 14:06:07 +0100
Subject: [PATCH] C#: Clarify that deserialization following a schema is safe

---
 .../CWE-502/UnsafeDeserialization.qhelp                  | 9 +++++++++
 .../CWE-502/UnsafeDeserializationUntrustedInput.qhelp    | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp
index 3c68b74a1d9..6daa28e2df7 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp	
@@ -7,6 +7,15 @@
 <p>Deserializing an object from untrusted input may result in security problems, such
 as denial of service or remote code execution.</p>
 
+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
+</p>
+
 </overview>
 <recommendation>
 
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp
index 7c8781b15a1..26297f9c6bd 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp	
@@ -7,6 +7,15 @@
 <p>Deserializing an object from untrusted input may result in security problems, such
 as denial of service or remote code execution.</p>
 
+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
+</p>
+
 </overview>
 <recommendation>