diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp index 6daa28e2df7..4cc76003fbf 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp @@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp index 26297f9c6bd..b2c123bed5c 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp @@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index ff235670496..a6d2d9936a5 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -25,7 +25,9 @@ only expected, predefined types are generally not tracked by this query. For example, Apache Avro's deserialization methods follow a schema and are therefore generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp index 08af6249f50..dea8a8794bb 100644 --- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp +++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp @@ -22,7 +22,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp index 6c875f88994..001f7ef1448 100644 --- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp +++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp @@ -13,7 +13,9 @@ arbitrary classes or objects. Serialization frameworks that use a schema to inst only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.