Note that common standard library types can be vulnerable to gadget-chain attacks

2026-05-14 11:19:27 +02:00 · 2026-05-08 14:18:54 +01:00
parent 93e05db394
commit a5ef036465
5 changed files with 15 additions and 5 deletions
--- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
+++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
@@ -22,7 +22,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate
 only expected, predefined types are generally not tracked by this query. Such
 frameworks are generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 </overview>