deserialization sinks

csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql

@@ -16,7 +16,7 @@ import semmle.code.csharp.serialization.Deserializers
 
 from Call deserialization, Cast cast
 where
-  deserialization.getTarget() instanceof UnsafeDeserializer and
+  deserialization.getTarget() instanceof UnsafeDeserializerCallable and
   cast.getExpr() = deserialization and
   cast.getTargetType() instanceof SystemLinqExpressions::DelegateExtType
 select deserialization, "Deserialization of delegate type."

csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql

@@ -13,7 +13,17 @@
 import csharp
 import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
 
-from Call deserializeCall, Sink sink
-where deserializeCall.getAnArgument() = sink.asExpr()
+from Call deserializeCall, ObjectMethodSink sink
+where
+  deserializeCall.getAnArgument() = sink.asExpr() and
+  not exists(
+    DataFlow::PathNode constructor, DataFlow::PathNode usage,
+    SafeConstructorTrackingConfig constructorTracking
+  |
+    constructorTracking.hasFlowPath(constructor, usage) and
+    usage.getNode().asExpr().getParent() = sink.asExpr().getParent()
+  )
+  or
+  exists(ConstructorOrStaticMethodSink sink2 | deserializeCall.getAnArgument() = sink2.asExpr())
 select deserializeCall,
   "Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source."

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp

@@ -27,6 +27,17 @@ it may be necessary to use a different deserialization framework.</p>
 
 <sample src="UnsafeDeserializationUntrustedInputGood.cs" />
 
+<p>In the following example potentially untrusted stream and type is deserialized using a
+<code>DataContractJsonSerializer</code> which is known to be vulnerable with user supplied types.</p>
+
+<sample src="UnsafeDeserializationUntrustedInputTypeBad.cs" />
+
+<p>To fix this specific vulnerability, we are using hardcoded
+Plain Old CLR Object (<a href="https://en.wikipedia.org/wiki/Plain_old_CLR_object">POCO</a>) type. In other cases,
+it may be necessary to use a different deserialization framework.</p>
+
+<sample src="UnsafeDeserializationUntrustedInputTypeGood.cs" />
+
 </example>
 <references>
 

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql

@@ -13,8 +13,54 @@
 import csharp
 import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
 import DataFlow::PathGraph
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Local
 
-from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to unsafe deserializer.", source.getNode(),
+class RemoteSource extends Source {
+  RemoteSource() { this instanceof RemoteFlowSource }
+}
+
+class LocalSource extends Source {
+  LocalSource() { this instanceof LocalFlowSource }
+}
+
+from
+  TaintToObjectMethodTrackingConfig taintTracking, DataFlow::PathNode userInput,
+  DataFlow::PathNode deserializeCall
+where
+  // all flows from user input to deserialization with weak and strong type serializers
+  taintTracking.hasFlowPath(userInput, deserializeCall) and
+  // intersect with strong types, but user controlled or weak types deserialization usages
+  (
+    exists(
+      DataFlow::PathNode weakTypeCreation, DataFlow::PathNode weakTypeUsage,
+      WeakTypeCreationToUsageTrackingConfig weakTypeDeserializerTracking
+    |
+      weakTypeDeserializerTracking.hasFlowPath(weakTypeCreation, weakTypeUsage) and
+      weakTypeUsage.getNode().asExpr().getParent() = deserializeCall.getNode().asExpr().getParent()
+    )
+    or
+    exists(
+      TaintToObjectTypeTrackingConfig userControlledTypeTracking,
+      DataFlow::PathNode taintedTypeUsage, DataFlow::PathNode userInput2
+    |
+      userControlledTypeTracking.hasFlowPath(userInput2, taintedTypeUsage) and
+      taintedTypeUsage.getNode().asExpr().getParent() =
+        deserializeCall.getNode().asExpr().getParent()
+    )
+  ) and
+  // exclude deserialization flows with safe instances (i.e. JavaScriptSerializer without resolver)
+  not exists(
+    SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeCreation,
+    DataFlow::PathNode safeTypeUsage
+  |
+    safeConstructorTracking.hasFlowPath(safeCreation, safeTypeUsage) and
+    safeTypeUsage.getNode().asExpr().getParent() = deserializeCall.getNode().asExpr().getParent()
+  )
+  or
+  // no type check needed - straightforward taint -> sink
+  exists(TaintToConstructorOrStaticMethodTrackingConfig taintTracking2 |
+    taintTracking2.hasFlowPath(userInput, deserializeCall)
+  )
+select deserializeCall, userInput, deserializeCall, "$@ flows to unsafe deserializer.", userInput,
   "User-provided data"

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputTypeBad.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System;
+
+class BadDataContractJsonSerializer
+{
+    public static object Deserialize(string type, Stream s)
+    {
+        // BAD: stream and type are potentially untrusted
+        var ds = new DataContractJsonSerializer(Type.GetType(type));
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputTypeGood.cs

@@ -0,0 +1,20 @@
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System;
+
+class Poco
+{
+    public int Count;
+
+    public string Comment;
+}
+
+class GoodDataContractJsonSerializer
+{
+    public static Poco Deserialize(Stream s)
+    {
+        // GOOD: while stream is potentially untrusted, the instantiated type is hardcoded
+        var ds = new DataContractJsonSerializer(typeof(Poco));
+        return (Poco)ds.ReadObject(s);
+    }
+}

csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll

@@ -6,7 +6,6 @@
 import csharp
 
 module UnsafeDeserialization {
-  private import semmle.code.csharp.security.dataflow.flowsources.Remote
   private import semmle.code.csharp.serialization.Deserializers
 
   /**
@@ -17,7 +16,12 @@ module UnsafeDeserialization {
   /**
    * A data flow sink for unsafe deserialization vulnerabilities.
    */
-  abstract class Sink extends DataFlow::Node { }
+  abstract class ObjectMethodSink extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for unsafe deserialization vulnerabilities.
+   */
+  abstract class ConstructorOrStaticMethodSink extends DataFlow::Node { }
 
   /**
    * A sanitizer for unsafe deserialization vulnerabilities.
@@ -25,57 +29,654 @@ module UnsafeDeserialization {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * A taint-tracking configuration for reasoning about unsafe deserialization.
+   * User input to object method call deserialization flow tracking.
    */
-  class TaintTrackingConfig extends TaintTracking::Configuration {
-    TaintTrackingConfig() { this = "UnsafeDeserialization" }
+  class TaintToObjectMethodTrackingConfig extends TaintTracking::Configuration {
+    TaintToObjectMethodTrackingConfig() { this = "UnsafeDeserialization1" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+    override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMethodSink }
 
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
   }
 
-  class RemoteSource extends Source {
-    RemoteSource() { this instanceof RemoteFlowSource }
+  /**
+   * User input to static method or constructor call deserialization flow tracking.
+   */
+  class TaintToConstructorOrStaticMethodTrackingConfig extends TaintTracking::Configuration {
+    TaintToConstructorOrStaticMethodTrackingConfig() { this = "UnsafeDeserialization2" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
   }
 
-  /** A call to an unsafe deserializer. */
-  class UnsafeDeserializerSink extends Sink {
-    UnsafeDeserializerSink() {
-      exists(Call c |
-        this.asExpr() = c.getAnArgument() and
-        c.getTarget() instanceof UnsafeDeserializer
+  /**
+   * User input to instance type flow tracking.
+   */
+  class TaintToObjectTypeTrackingConfig extends TaintTracking::Configuration {
+    TaintToObjectTypeTrackingConfig() { this = "TaintToObjectTypeTrackingConfig" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        m instanceof UnsafeDeserializerCallable and
+        sink.asExpr() = mc.getQualifier()
       )
     }
-  }
 
-  private class JavaScriptSerializerClass extends Class {
-    JavaScriptSerializerClass() {
-      this.hasQualifiedName("System.Web.Script.Serialization.JavaScriptSerializer")
+    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        m.getDeclaringType().hasQualifiedName("System.Type") and
+        m.hasName("GetType") and
+        m.isStatic() and
+        n1.asExpr() = mc.getArgument(0) and
+        n2.asExpr() = mc
+      )
+      or
+      exists(ObjectCreation oc |
+        n1.asExpr() = oc.getAnArgument() and
+        n2.asExpr() = oc and
+        oc.getObjectType() instanceof StrongTypeDeserializer
+      )
     }
   }
 
   /**
-   * An unsafe use of a JavaScript deserializer. That is, a use with a custom type-resolver
-   * (constructor parameter).
+   * Unsafe deserializer creation to usage tracking config.
    */
-  class JavaScriptSerializerSink extends Sink {
-    JavaScriptSerializerSink() {
+  class WeakTypeCreationToUsageTrackingConfig extends TaintTracking::Configuration {
+    WeakTypeCreationToUsageTrackingConfig() { this = "DeserializerCreationToUsageTrackingConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
       exists(ObjectCreation oc |
-        oc.getTarget().getDeclaringType() instanceof JavaScriptSerializerClass and
-        oc.getTarget().getNumberOfParameters() > 0 and
-        exists(MethodCall mc, Method m |
-          m = mc.getTarget() and
-          m.getDeclaringType() instanceof JavaScriptSerializerClass and
-          (
-            m.hasName("Deserialize") or
-            m.hasName("DeserializeObject")
-          ) and
-          this.asExpr() = mc.getAnArgument() and
-          DataFlow::localFlow(DataFlow::exprNode(oc), DataFlow::exprNode(mc.getQualifier()))
-        )
+        oc.getObjectType() instanceof WeakTypeDeserializer and
+        source.asExpr() = oc
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        m instanceof UnsafeDeserializerCallable and
+        sink.asExpr() = mc.getQualifier()
+      )
+    }
+  }
+
+  /**
+   * Safe deserializer creation to usage tracking config.
+   */
+  abstract class SafeConstructorTrackingConfig extends TaintTracking::Configuration {
+    bindingset[this]
+    SafeConstructorTrackingConfig() { any() }
+  }
+
+  /** BinaryFormatter */
+  predicate isBinaryFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof BinaryFormatterDeserializeMethod and
+      not mc.getArgument(0).hasValue()
+      or
+      m instanceof BinaryFormatterUnsafeDeserializeMethod and
+      not mc.getArgument(0).hasValue()
+      or
+      m instanceof BinaryFormatterUnsafeDeserializeMethodResponseMethod and
+      not mc.getArgument(0).hasValue()
+    )
+  }
+
+  abstract class BinaryFormatterSink extends ObjectMethodSink { }
+
+  class BinaryFormatterDeserializeMethodSink extends BinaryFormatterSink {
+    BinaryFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isBinaryFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** SoapFormatter */
+  predicate isSoapFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof SoapFormatterDeserializeMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class SoapFormatterSink extends ObjectMethodSink { }
+
+  class SoapFormatterDeserializeMethodSink extends SoapFormatterSink {
+    SoapFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isSoapFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** ObjectStateFormatter */
+  predicate isObjectStateFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof ObjectStateFormatterDeserializeMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class ObjectStateFormatterSink extends ObjectMethodSink { }
+
+  class ObjectStateFormatterDeserializeMethodSink extends ObjectStateFormatterSink {
+    ObjectStateFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isObjectStateFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** NetDataContractSerializer */
+  predicate isNetDataContractSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof NetDataContractSerializerDeserializeMethod and
+      not mc.getArgument(0).hasValue()
+      or
+      m instanceof NetDataContractSerializerReadObjectMethod and
+      not mc.getArgument(0).hasValue()
+    )
+  }
+
+  abstract class NetDataContractSerializerSink extends ObjectMethodSink { }
+
+  class NetDataContractSerializerDeserializeMethodSink extends NetDataContractSerializerSink {
+    NetDataContractSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isNetDataContractSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** DataContractJsonSerializer */
+  predicate isDataContractJsonSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof DataContractJsonSerializerReadObjectMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class DataContractJsonSerializerSink extends ObjectMethodSink { }
+
+  class DataContractJsonSerializerDeserializeMethodSink extends DataContractJsonSerializerSink {
+    DataContractJsonSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isDataContractJsonSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class DataContractJsonSafeConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    DataContractJsonSafeConstructorTrackingConfiguration() {
+      this = "DataContractJsonSafeConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+        DataContractJsonSerializerClass and
+      source.asExpr().(ObjectCreation).getTarget().getNumberOfParameters() > 0 and
+      source.asExpr().(ObjectCreation).getArgument(0) instanceof TypeofExpr
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isDataContractJsonSerializerCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** JavaScriptSerializer */
+  predicate isJavaScriptSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof JavaScriptSerializerClassDeserializeMethod and
+      not mc.getArgument(0).hasValue()
+      or
+      m instanceof JavaScriptSerializerClassDeserializeObjectMethod and
+      not mc.getArgument(0).hasValue()
+    )
+  }
+
+  abstract class JavaScriptSerializerSink extends ObjectMethodSink { }
+
+  class JavaScriptSerializerDeserializeMethodSink extends JavaScriptSerializerSink {
+    JavaScriptSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isJavaScriptSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class JavaScriptSerializerSafeConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    JavaScriptSerializerSafeConstructorTrackingConfiguration() {
+      this = "JavaScriptSerializerSafeConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+        JavaScriptSerializerClass and
+      source.asExpr().(ObjectCreation).getTarget().getNumberOfParameters() = 0
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isJavaScriptSerializerCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** XmlObjectSerializer */
+  predicate isXmlObjectSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof XmlObjectSerializerReadObjectMethod and
+    not mc.getArgument(0).hasValue() and
+    not mc.targetIsLocalInstance()
+  }
+
+  abstract class XmlObjectSerializerSink extends ObjectMethodSink { }
+
+  class XmlObjectSerializerDeserializeMethodSink extends XmlObjectSerializerSink {
+    XmlObjectSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isXmlObjectSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class XmlObjectSerializerDerivedConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    XmlObjectSerializerDerivedConstructorTrackingConfiguration() {
+      this = "XmlObjectSerializerDerivedConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType().getABaseType+() instanceof
+        XmlObjectSerializerClass and
+      not (
+        source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+          DataContractSerializerClass or
+        source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+          NetDataContractSerializerClass
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isXmlObjectSerializerCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** XmlSerializer */
+  predicate isXmlSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof XmlSerializerDeserializeMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class XmlSerializerSink extends ObjectMethodSink { }
+
+  class XmlSerializerDeserializeMethodSink extends XmlSerializerSink {
+    XmlSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isXmlSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class XmlSerializerSafeConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    XmlSerializerSafeConstructorTrackingConfiguration() {
+      this = "XmlSerializerSafeConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof XmlSerializerClass and
+      source.asExpr().(ObjectCreation).getTarget().getNumberOfParameters() > 0 and
+      source.asExpr().(ObjectCreation).getArgument(0) instanceof TypeofExpr
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isXmlSerializerCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** DataContractSerializer */
+  predicate isDataContractSerializerCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof DataContractSerializerReadObjectMethod
+      or
+      m instanceof XmlObjectSerializerReadObjectMethod
+    ) and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class DataContractSerializerSink extends ObjectMethodSink { }
+
+  class DataContractSerializerDeserializeMethodSink extends DataContractSerializerSink {
+    DataContractSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isDataContractSerializerCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class DataContractSerializerSafeConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    DataContractSerializerSafeConstructorTrackingConfiguration() {
+      this = "DataContractSerializerSafeConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+        DataContractSerializerClass and
+      source.asExpr().(ObjectCreation).getTarget().getNumberOfParameters() > 0 and
+      source.asExpr().(ObjectCreation).getArgument(0) instanceof TypeofExpr
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isDataContractSerializerCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** XmlMessageFormatter */
+  predicate isXmlMessageFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof XmlMessageFormatterReadMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class XmlMessageFormatterSink extends ObjectMethodSink { }
+
+  class XmlMessageFormatterDeserializeMethodSink extends XmlMessageFormatterSink {
+    XmlMessageFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isXmlMessageFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  class XmlMessageFormatterSafeConstructorTrackingConfiguration extends SafeConstructorTrackingConfig {
+    XmlMessageFormatterSafeConstructorTrackingConfiguration() {
+      this = "XmlMessageFormatterSafeConstructorTrackingConfiguration"
+    }
+
+    override predicate isSource(DataFlow::Node source) {
+      source.asExpr().(ObjectCreation).getTarget().getDeclaringType() instanceof
+        XmlMessageFormatterClass and
+      source.asExpr().(ObjectCreation).getTarget().getNumberOfParameters() > 0 and
+      source.asExpr().(ObjectCreation).getArgument(0) instanceof TypeofExpr
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(MethodCall mc, Method m |
+        isXmlMessageFormatterCall(mc, m) and
+        mc.getQualifier() = sink.asExpr()
+      )
+    }
+  }
+
+  /** LosFormatter */
+  predicate isLosFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof LosFormatterDeserializeMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class LosFormatterSink extends ObjectMethodSink { }
+
+  class LosFormatterDeserializeMethodSink extends LosFormatterSink {
+    LosFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isLosFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** fastJSON */
+  predicate isFastJsonCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof FastJsonClassToObjectMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class FastJsonSink extends ConstructorOrStaticMethodSink { }
+
+  class FastJsonDeserializeMethodSink extends FastJsonSink {
+    FastJsonDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isFastJsonCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** Activity */
+  predicate isActivityCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof ActivityLoadMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class ActivitySink extends ObjectMethodSink { }
+
+  class ActivityDeserializeMethodSink extends ActivitySink {
+    ActivityDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isActivityCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** ResourceReader */
+  predicate isResourceReaderCall(Call mc, Constructor m) {
+    m = mc.getTarget() and
+    m instanceof ResourceReaderConstructor and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class ResourceReaderSink extends ConstructorOrStaticMethodSink { }
+
+  class ResourceReaderDeserializeMethodSink extends ResourceReaderSink {
+    ResourceReaderDeserializeMethodSink() {
+      exists(Call mc, Constructor m |
+        isResourceReaderCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** BinaryMessageFormatter */
+  predicate isBinaryMessageFormatterCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof BinaryMessageFormatterReadMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class BinaryMessageFormatterSink extends ObjectMethodSink { }
+
+  class BinaryMessageFormatterDeserializeMethodSink extends BinaryMessageFormatterSink {
+    BinaryMessageFormatterDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isBinaryMessageFormatterCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** XamlReader */
+  predicate isXamlReaderCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof XamlReaderParseMethod
+      or
+      m instanceof XamlReaderLoadMethod
+      or
+      m instanceof XamlReaderLoadAsyncMethod
+    ) and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class XamlReaderSink extends ConstructorOrStaticMethodSink { }
+
+  class XamlReaderDeserializeMethodSink extends XamlReaderSink {
+    XamlReaderDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isXamlReaderCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** ProxyObject */
+  predicate isProxyObjectCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    (
+      m instanceof ProxyObjectDecodeValueMethod
+      or
+      m instanceof ProxyObjectDecodeSerializedObjectMethod
+    ) and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class ProxyObjectSink extends ObjectMethodSink { }
+
+  class ProxyObjectDeserializeMethodSink extends ProxyObjectSink {
+    ProxyObjectDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isProxyObjectCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** SweetJayson */
+  predicate isSweetJaysonCall(MethodCall mc, Method m) {
+    m = mc.getTarget() and
+    m instanceof JaysonConverterToObjectMethod and
+    not mc.getArgument(0).hasValue()
+  }
+
+  abstract class SweetJaysonSink extends ConstructorOrStaticMethodSink { }
+
+  class SweetJaysonDeserializeMethodSink extends SweetJaysonSink {
+    SweetJaysonDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        isSweetJaysonCall(mc, m) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
+
+  /** ServiceStack.Text.JsonSerializer */
+  abstract class ServiceStackTextJsonSerializerSink extends ConstructorOrStaticMethodSink { }
+
+  class ServiceStackTextJsonSerializerDeserializeMethodSink extends ServiceStackTextJsonSerializerSink {
+    ServiceStackTextJsonSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          m instanceof ServiceStackTextJsonSerializerDeserializeFromStringMethod
+          or
+          m instanceof ServiceStackTextJsonSerializerDeserializeFromReaderMethod
+          or
+          m instanceof ServiceStackTextJsonSerializerDeserializeFromStreamMethod
+        ) and
+        not mc.getAnArgument().hasValue() and
+        not mc.getAnArgument() instanceof TypeofExpr and
+        this.asExpr() = mc.getAnArgument()
+      )
+    }
+  }
+
+  /** ServiceStack.Text.TypeSerializer */
+  abstract class ServiceStackTextTypeSerializerSink extends ConstructorOrStaticMethodSink { }
+
+  class ServiceStackTextTypeSerializerDeserializeMethodSink extends ServiceStackTextTypeSerializerSink {
+    ServiceStackTextTypeSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          m instanceof ServiceStackTextTypeSerializerDeserializeFromStringMethod
+          or
+          m instanceof ServiceStackTextTypeSerializerDeserializeFromReaderMethod
+          or
+          m instanceof ServiceStackTextTypeSerializerDeserializeFromStreamMethod
+        ) and
+        not mc.getAnArgument().hasValue() and
+        not mc.getAnArgument() instanceof TypeofExpr and
+        this.asExpr() = mc.getAnArgument()
+      )
+    }
+  }
+
+  /** ServiceStack.Text.CsvSerializer */
+  abstract class ServiceStackTextCsvSerializerSink extends ConstructorOrStaticMethodSink { }
+
+  class ServiceStackTextCsvSerializerDeserializeMethodSink extends ServiceStackTextCsvSerializerSink {
+    ServiceStackTextCsvSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          m instanceof ServiceStackTextCsvSerializerDeserializeFromStringMethod
+          or
+          m instanceof ServiceStackTextCsvSerializerDeserializeFromReaderMethod
+          or
+          m instanceof ServiceStackTextCsvSerializerDeserializeFromStreamMethod
+        ) and
+        not mc.getAnArgument().hasValue() and
+        not mc.getAnArgument() instanceof TypeofExpr and
+        this.asExpr() = mc.getAnArgument()
+      )
+    }
+  }
+
+  /** ServiceStack.Text.XmlSerializer */
+  abstract class ServiceStackTextXmlSerializerSink extends ConstructorOrStaticMethodSink { }
+
+  class ServiceStackTextXmlSerializerDeserializeMethodSink extends ServiceStackTextXmlSerializerSink {
+    ServiceStackTextXmlSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          m instanceof ServiceStackTextXmlSerializerDeserializeFromStringMethod
+          or
+          m instanceof ServiceStackTextXmlSerializerDeserializeFromReaderMethod
+          or
+          m instanceof ServiceStackTextXmlSerializerDeserializeFromStreamMethod
+        ) and
+        not mc.getAnArgument().hasValue() and
+        not mc.getAnArgument() instanceof TypeofExpr and
+        this.asExpr() = mc.getAnArgument()
       )
     }
   }

csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll

@@ -5,50 +5,134 @@
 
 import csharp
 
-/** An unsafe deserializer. */
-abstract class UnsafeDeserializer extends Callable { }
-
-/** An unsafe deserializer method in the `System.*` namespace. */
-class SystemDeserializer extends UnsafeDeserializer {
-  SystemDeserializer() {
-    this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
-      "Deserialize")
+/** Unsafe deserialization calls. */
+class UnsafeDeserializerCallable extends Callable {
+  UnsafeDeserializerCallable() {
+    this instanceof BinaryFormatterDeserializeMethod
     or
-    this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
-      "UnsafeDeserialize")
+    this instanceof BinaryFormatterUnsafeDeserializeMethod
     or
-    this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
-      "UnsafeDeserializeMethodResponse")
+    this instanceof BinaryFormatterUnsafeDeserializeMethodResponseMethod
     or
-    this.hasQualifiedName("System.Runtime.Deserialization.Formatters.Soap.SoapFormatter",
-      "Deserialize")
+    this instanceof SoapFormatterDeserializeMethod
     or
-    this.hasQualifiedName("System.Web.UI.ObjectStateFormatter", "Deserialize")
+    this instanceof ObjectStateFormatterDeserializeMethod
     or
-    this.hasQualifiedName("System.Runtime.Serialization.NetDataContractSerializer", "Deserialize")
+    this instanceof NetDataContractSerializerDeserializeMethod
     or
-    this.hasQualifiedName("System.Runtime.Serialization.NetDataContractSerializer", "ReadObject")
+    this instanceof NetDataContractSerializerReadObjectMethod
     or
-    this.hasQualifiedName("System.Web.UI.LosFormatter", "Deserialize")
+    this instanceof DataContractJsonSerializerReadObjectMethod
     or
-    this.hasQualifiedName("System.Workflow.ComponentModel.Activity", "Load")
+    this instanceof JavaScriptSerializerClassDeserializeMethod
     or
-    this.hasQualifiedName("System.Resources.ResourceReader", "ResourceReader")
+    this instanceof JavaScriptSerializerClassDeserializeObjectMethod
     or
-    this.hasQualifiedName("System.Messaging", "BinaryMessageFormatter")
+    this instanceof XmlObjectSerializerReadObjectMethod
     or
-    this.hasQualifiedName("System.Windows.Markup.XamlReader", "Parse")
+    this instanceof XmlSerializerDeserializeMethod
     or
-    this.hasQualifiedName("System.Windows.Markup.XamlReader", "Load")
+    this instanceof DataContractSerializerReadObjectMethod
     or
-    this.hasQualifiedName("System.Windows.Markup.XamlReader", "LoadAsync")
+    this instanceof XmlMessageFormatterReadMethod
+    or
+    this instanceof LosFormatterDeserializeMethod
+    or
+    this instanceof FastJsonClassToObjectMethod
+    or
+    this instanceof ActivityLoadMethod
+    or
+    this instanceof ResourceReaderConstructor
+    or
+    this instanceof BinaryMessageFormatterReadMethod
+    or
+    this instanceof XamlReaderParseMethod
+    or
+    this instanceof XamlReaderLoadMethod
+    or
+    this instanceof XamlReaderLoadAsyncMethod
+    or
+    this instanceof ProxyObjectDecodeValueMethod
+    or
+    this instanceof ProxyObjectDecodeSerializedObjectMethod
+    or
+    this instanceof JaysonConverterToObjectMethod
+    or
+    this instanceof ServiceStackTextJsonSerializerDeserializeFromStringMethod
+    or
+    this instanceof ServiceStackTextJsonSerializerDeserializeFromReaderMethod
+    or
+    this instanceof ServiceStackTextJsonSerializerDeserializeFromStreamMethod
+    or
+    this instanceof ServiceStackTextTypeSerializerDeserializeFromStringMethod
+    or
+    this instanceof ServiceStackTextTypeSerializerDeserializeFromReaderMethod
+    or
+    this instanceof ServiceStackTextTypeSerializerDeserializeFromStreamMethod
+    or
+    this instanceof ServiceStackTextCsvSerializerDeserializeFromStringMethod
+    or
+    this instanceof ServiceStackTextCsvSerializerDeserializeFromReaderMethod
+    or
+    this instanceof ServiceStackTextCsvSerializerDeserializeFromStreamMethod
+    or
+    this instanceof ServiceStackTextXmlSerializerDeserializeFromStringMethod
+    or
+    this instanceof ServiceStackTextXmlSerializerDeserializeFromReaderMethod
+    or
+    this instanceof ServiceStackTextXmlSerializerDeserializeFromStreamMethod
   }
 }
 
-/** An unsafe deserializer method in the `Microsoft.*` namespace. */
-class MicrosoftDeserializer extends UnsafeDeserializer {
-  MicrosoftDeserializer() {
-    this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject", "DecodeValue")
+/** Deserializer exploitable only if user controls the expected object type. */
+class StrongTypeDeserializer extends Class {
+  StrongTypeDeserializer() {
+    this instanceof XmlSerializerClass
+    or
+    this instanceof DataContractJsonSerializerClass
+    or
+    this instanceof DataContractSerializerClass
+    or
+    this instanceof XmlMessageFormatterClass
+  }
+}
+
+/** Deserializer that doesn't make strong expected type check. */
+class WeakTypeDeserializer extends Class {
+  WeakTypeDeserializer() {
+    this instanceof BinaryFormatterClass
+    or
+    this instanceof SoapFormatterClass
+    or
+    this instanceof ObjectStateFormatterClass
+    or
+    this instanceof NetDataContractSerializerClass
+    or
+    this instanceof JavaScriptSerializerClass
+    or
+    this instanceof LosFormatterClass
+    or
+    this instanceof BinaryMessageFormatterClass
+    or
+    this instanceof FastJsonClass
+    or
+    this instanceof ActivityClass
+    or
+    this instanceof XamlReaderClass
+    or
+    this instanceof ProxyObjectClass
+    or
+    this instanceof ResourceReaderClass
+    or
+    this instanceof JaysonConverterClass
+    or
+    this instanceof ServiceStackTextJsonSerializerClass
+    or
+    this instanceof ServiceStackTextTypeSerializerClass
+    or
+    this instanceof ServiceStackTextCsvSerializerClass
+    or
+    this instanceof ServiceStackTextXmlSerializerClass
   }
 }
 
@@ -56,12 +140,415 @@ class MicrosoftDeserializer extends UnsafeDeserializer {
  * An unsafe deserializer method that calls any unsafe deserializer on any of
  * the parameters.
  */
-class WrapperDeserializer extends UnsafeDeserializer {
+class WrapperDeserializer extends UnsafeDeserializerCallable {
   WrapperDeserializer() {
     exists(Call call |
       call.getEnclosingCallable() = this and
       call.getAnArgument() instanceof ParameterAccess and
-      call.getTarget() instanceof UnsafeDeserializer
+      call.getTarget() instanceof UnsafeDeserializerCallable
     )
   }
 }
+
+/** BinaryFormatter */
+class BinaryFormatterClass extends Class {
+  BinaryFormatterClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter")
+  }
+}
+
+class BinaryFormatterDeserializeMethod extends Method {
+  BinaryFormatterDeserializeMethod() {
+    this.getDeclaringType() instanceof BinaryFormatterClass and
+    this.hasName("Deserialize")
+  }
+}
+
+class BinaryFormatterUnsafeDeserializeMethod extends Method {
+  BinaryFormatterUnsafeDeserializeMethod() {
+    this.getDeclaringType() instanceof BinaryFormatterClass and
+    this.hasName("UnsafeDeserialize")
+  }
+}
+
+class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method {
+  BinaryFormatterUnsafeDeserializeMethodResponseMethod() {
+    this.getDeclaringType() instanceof BinaryFormatterClass and
+    this.hasName("UnsafeDeserializeMethodResponse")
+  }
+}
+
+/** SoapFormatter */
+class SoapFormatterClass extends Class {
+  SoapFormatterClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.Formatters.Soap.SoapFormatter")
+  }
+}
+
+class SoapFormatterDeserializeMethod extends Method {
+  SoapFormatterDeserializeMethod() {
+    this.getDeclaringType() instanceof SoapFormatterClass and
+    this.hasName("Deserialize")
+  }
+}
+
+/** ObjectStateFormatter */
+class ObjectStateFormatterClass extends Class {
+  ObjectStateFormatterClass() { this.hasQualifiedName("System.Web.UI.ObjectStateFormatter") }
+}
+
+class ObjectStateFormatterDeserializeMethod extends Method {
+  ObjectStateFormatterDeserializeMethod() {
+    this.getDeclaringType() instanceof ObjectStateFormatterClass and
+    this.hasName("Deserialize")
+  }
+}
+
+/** NetDataContractSerializer */
+class NetDataContractSerializerClass extends Class {
+  NetDataContractSerializerClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.NetDataContractSerializer")
+  }
+}
+
+class NetDataContractSerializerDeserializeMethod extends Method {
+  NetDataContractSerializerDeserializeMethod() {
+    this.getDeclaringType() instanceof NetDataContractSerializerClass and
+    this.hasName("Deserialize")
+  }
+}
+
+class NetDataContractSerializerReadObjectMethod extends Method {
+  NetDataContractSerializerReadObjectMethod() {
+    this.getDeclaringType() instanceof NetDataContractSerializerClass and
+    this.hasName("ReadObject")
+  }
+}
+
+/** DataContractJsonSerializer */
+class DataContractJsonSerializerClass extends Class {
+  DataContractJsonSerializerClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.Json.DataContractJsonSerializer")
+  }
+}
+
+class DataContractJsonSerializerReadObjectMethod extends Method {
+  DataContractJsonSerializerReadObjectMethod() {
+    this.getDeclaringType() instanceof DataContractJsonSerializerClass and
+    this.hasName("ReadObject")
+  }
+}
+
+/** JavaScriptSerializer */
+class JavaScriptSerializerClass extends Class {
+  JavaScriptSerializerClass() {
+    this.hasQualifiedName("System.Web.Script.Serialization.JavaScriptSerializer")
+  }
+}
+
+class JavaScriptSerializerClassDeserializeMethod extends Method {
+  JavaScriptSerializerClassDeserializeMethod() {
+    this.getDeclaringType() instanceof JavaScriptSerializerClass and
+    this.hasName("Deserialize")
+  }
+}
+
+class JavaScriptSerializerClassDeserializeObjectMethod extends Method {
+  JavaScriptSerializerClassDeserializeObjectMethod() {
+    this.getDeclaringType() instanceof JavaScriptSerializerClass and
+    this.hasName("DeserializeObject")
+  }
+}
+
+/** XmlObjectSerializer */
+class XmlObjectSerializerClass extends Class {
+  XmlObjectSerializerClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.XmlObjectSerializer")
+  }
+}
+
+class XmlObjectSerializerReadObjectMethod extends Method {
+  XmlObjectSerializerReadObjectMethod() {
+    this.getDeclaringType() instanceof XmlObjectSerializerClass and
+    this.hasName("ReadObject")
+  }
+}
+
+/** XmlSerializer */
+class XmlSerializerClass extends Class {
+  XmlSerializerClass() { this.hasQualifiedName("System.Xml.Serialization.XmlSerializer") }
+}
+
+class XmlSerializerDeserializeMethod extends Method {
+  XmlSerializerDeserializeMethod() {
+    this.getDeclaringType() instanceof XmlSerializerClass and
+    this.hasName("Deserialize")
+  }
+}
+
+/** DataContractSerializer */
+class DataContractSerializerClass extends Class {
+  DataContractSerializerClass() {
+    this.hasQualifiedName("System.Runtime.Serialization.DataContractSerializer")
+  }
+}
+
+class DataContractSerializerReadObjectMethod extends Method {
+  DataContractSerializerReadObjectMethod() {
+    this.getDeclaringType() instanceof DataContractSerializerClass and
+    this.hasName("ReadObject")
+  }
+}
+
+/** XmlMessageFormatter */
+class XmlMessageFormatterClass extends Class {
+  XmlMessageFormatterClass() { this.hasQualifiedName("System.Messaging.XmlMessageFormatter") }
+}
+
+class XmlMessageFormatterReadMethod extends Method {
+  XmlMessageFormatterReadMethod() {
+    this.getDeclaringType() instanceof XmlMessageFormatterClass and
+    this.hasName("Read")
+  }
+}
+
+/** LosFormatter */
+class LosFormatterClass extends Class {
+  LosFormatterClass() { this.hasQualifiedName("System.Web.UI.LosFormatter") }
+}
+
+class LosFormatterDeserializeMethod extends Method {
+  LosFormatterDeserializeMethod() {
+    this.getDeclaringType() instanceof LosFormatterClass and
+    this.hasName("Deserialize")
+  }
+}
+
+/** fastJSON */
+class FastJsonClass extends Class {
+  FastJsonClass() { this.hasQualifiedName("fastJSON.JSON") }
+}
+
+class FastJsonClassToObjectMethod extends Method {
+  FastJsonClassToObjectMethod() {
+    this.getDeclaringType() instanceof FastJsonClass and
+    this.hasName("ToObject") and
+    this.isStatic()
+  }
+}
+
+/** Activity */
+class ActivityClass extends Class {
+  ActivityClass() { this.hasQualifiedName("System.Workflow.ComponentModel.Activity") }
+}
+
+class ActivityLoadMethod extends Method {
+  ActivityLoadMethod() {
+    this.getDeclaringType() instanceof ActivityClass and
+    this.hasName("Load")
+  }
+}
+
+/** ResourceReader */
+class ResourceReaderClass extends Class {
+  ResourceReaderClass() { this.hasQualifiedName("System.Resources.ResourceReader") }
+}
+
+class ResourceReaderConstructor extends Constructor {
+  ResourceReaderConstructor() {
+    this.getDeclaringType() instanceof ResourceReaderClass and
+    this.hasName("ResourceReader")
+  }
+}
+
+/** BinaryMessageFormatter */
+class BinaryMessageFormatterClass extends Class {
+  BinaryMessageFormatterClass() { this.hasQualifiedName("System.Messaging.BinaryMessageFormatter") }
+}
+
+class BinaryMessageFormatterReadMethod extends Method {
+  BinaryMessageFormatterReadMethod() {
+    this.getDeclaringType() instanceof BinaryMessageFormatterClass and
+    this.hasName("Read")
+  }
+}
+
+/** XamlReader */
+class XamlReaderClass extends Class {
+  XamlReaderClass() { this.hasQualifiedName("System.Windows.Markup.XamlReader") }
+}
+
+class XamlReaderParseMethod extends Method {
+  XamlReaderParseMethod() {
+    this.getDeclaringType() instanceof XamlReaderClass and
+    this.hasName("Parse") and
+    this.isStatic()
+  }
+}
+
+class XamlReaderLoadMethod extends Method {
+  XamlReaderLoadMethod() {
+    this.getDeclaringType() instanceof XamlReaderClass and
+    this.hasName("Load") and
+    this.isStatic()
+  }
+}
+
+class XamlReaderLoadAsyncMethod extends Method {
+  XamlReaderLoadAsyncMethod() {
+    this.getDeclaringType() instanceof XamlReaderClass and
+    this.hasName("LoadAsync")
+  }
+}
+
+/** ProxyObject */
+class ProxyObjectClass extends Class {
+  ProxyObjectClass() { this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject") }
+}
+
+class ProxyObjectDecodeValueMethod extends Method {
+  ProxyObjectDecodeValueMethod() {
+    this.getDeclaringType() instanceof ProxyObjectClass and
+    this.hasName("DecodeValue")
+  }
+}
+
+class ProxyObjectDecodeSerializedObjectMethod extends Method {
+  ProxyObjectDecodeSerializedObjectMethod() {
+    this.getDeclaringType() instanceof ProxyObjectClass and
+    this.hasName("DecodeSerializedObject")
+  }
+}
+
+/** SweetJayson */
+class JaysonConverterClass extends Class {
+  JaysonConverterClass() { this.hasQualifiedName("Sweet.Jayson.JaysonConverter") }
+}
+
+class JaysonConverterToObjectMethod extends Method {
+  JaysonConverterToObjectMethod() {
+    this.getDeclaringType() instanceof JaysonConverterClass and
+    this.hasName("ToObject") and
+    this.isStatic()
+  }
+}
+
+/** ServiceStack.Text.JsonSerializer */
+class ServiceStackTextJsonSerializerClass extends Class {
+  ServiceStackTextJsonSerializerClass() {
+    this.hasQualifiedName("ServiceStack.Text.JsonSerializer")
+  }
+}
+
+class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method {
+  ServiceStackTextJsonSerializerDeserializeFromStringMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
+    this.hasName("DeserializeFromString") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method {
+  ServiceStackTextJsonSerializerDeserializeFromReaderMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
+    this.hasName("DeserializeFromReader") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method {
+  ServiceStackTextJsonSerializerDeserializeFromStreamMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
+    this.hasName("DeserializeFromStream") and
+    this.isStatic()
+  }
+}
+
+/** ServiceStack.Text.TypeSerializer */
+class ServiceStackTextTypeSerializerClass extends Class {
+  ServiceStackTextTypeSerializerClass() {
+    this.hasQualifiedName("ServiceStack.Text.TypeSerializer")
+  }
+}
+
+class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method {
+  ServiceStackTextTypeSerializerDeserializeFromStringMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
+    this.hasName("DeserializeFromString") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method {
+  ServiceStackTextTypeSerializerDeserializeFromReaderMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
+    this.hasName("DeserializeFromReader") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method {
+  ServiceStackTextTypeSerializerDeserializeFromStreamMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
+    this.hasName("DeserializeFromStream") and
+    this.isStatic()
+  }
+}
+
+/** ServiceStack.Text.CsvSerializer */
+class ServiceStackTextCsvSerializerClass extends Class {
+  ServiceStackTextCsvSerializerClass() { this.hasQualifiedName("ServiceStack.Text.CsvSerializer") }
+}
+
+class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method {
+  ServiceStackTextCsvSerializerDeserializeFromStringMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
+    this.hasName("DeserializeFromString") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method {
+  ServiceStackTextCsvSerializerDeserializeFromReaderMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
+    this.hasName("DeserializeFromReader") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method {
+  ServiceStackTextCsvSerializerDeserializeFromStreamMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
+    this.hasName("DeserializeFromStream") and
+    this.isStatic()
+  }
+}
+
+/** ServiceStack.Text.XmlSerializer */
+class ServiceStackTextXmlSerializerClass extends Class {
+  ServiceStackTextXmlSerializerClass() { this.hasQualifiedName("ServiceStack.Text.XmlSerializer") }
+}
+
+class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method {
+  ServiceStackTextXmlSerializerDeserializeFromStringMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
+    this.hasName("DeserializeFromString") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method {
+  ServiceStackTextXmlSerializerDeserializeFromReaderMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
+    this.hasName("DeserializeFromReader") and
+    this.isStatic()
+  }
+}
+
+class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method {
+  ServiceStackTextXmlSerializerDeserializeFromStreamMethod() {
+    this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
+    this.hasName("DeserializeFromStream") and
+    this.isStatic()
+  }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/BinaryFormatterBad.cs

@@ -0,0 +1,12 @@
+using System.Runtime.Serialization.Formatters.Binary;
+using System.IO;
+
+class BadBinaryFormatter
+{
+    public static object Deserialize(Stream s)
+    {
+        var ds = new BinaryFormatter();
+        // BAD
+        return ds.Deserialize(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractJsonSerializerBad.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System;
+
+class BadDataContractJsonSerializer
+{
+    public static object Deserialize(Type type, Stream s)
+    {
+        var ds = new DataContractJsonSerializer(type);
+        // BAD
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractJsonSerializerGood.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System;
+
+class GoodDataContractJsonSerializer
+{
+    public static object Deserialize(Stream s)
+    {
+        // Good: type is hardcoded
+        var ds = new DataContractJsonSerializer(typeof(GoodDataContractJsonSerializer));
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractSerializerBad.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+using System.IO;
+using System;
+
+class BadDataContractSerializer
+{
+    public static object Deserialize(Type type, Stream s)
+    {
+        var ds = new DataContractSerializer(type);
+        // BAD
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractSerializerGood.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+using System.IO;
+using System;
+
+class GoodDataContractSerializer
+{
+    public static object Deserialize(Stream s)
+    {
+        // Good: type is hardcoded
+        var ds = new DataContractSerializer(typeof(GoodDataContractSerializer));
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs

@@ -1 +1 @@
-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs
+// semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Serialization.Formatters.dll /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ResourceReaderBad.cs

@@ -0,0 +1,17 @@
+using System.Resources;
+using System.IO;
+using System;
+
+class BadResourceReader
+{
+    public static void Deserialize(Stream s)
+    {
+        var ds = new ResourceReader(s);
+        // BAD
+        var dict = ds.GetEnumerator();
+        while (dict.MoveNext())
+            Console.WriteLine("   {0}: '{1}' (Type {2})", 
+                            dict.Key, dict.Value, dict.Value.GetType().Name);
+        ds.Close();
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.expected

@@ -1 +1,7 @@
+| BinaryFormatterBad.cs:10:16:10:32 | call to method Deserialize | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
+| DataContractJsonSerializerBad.cs:11:16:11:31 | call to method ReadObject | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
+| DataContractSerializerBad.cs:11:16:11:31 | call to method ReadObject | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
+| ResourceReaderBad.cs:9:18:9:38 | object creation of type ResourceReader | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
 | UnsafeDeserializationBad.cs:9:16:9:38 | call to method DeserializeObject | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
+| XmlObjectSerializerBad.cs:11:16:11:31 | call to method ReadObject | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |
+| XmlSerializerBad.cs:11:16:11:32 | call to method Deserialize | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlObjectSerializerBad.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+using System.IO;
+using System;
+
+class BadXmlObjectSerializer
+{
+    public static object Deserialize(Type type, Stream s)
+    {
+        XmlObjectSerializer ds = new DataContractSerializer(type);
+        // BAD
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlObjectSerializerGood.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization;
+using System.IO;
+using System;
+
+class GoodXmlObjectSerializer
+{
+    public static object Deserialize(Stream s)
+    {
+        // Good: type is hardcoded
+        XmlObjectSerializer ds = new DataContractSerializer(typeof(GoodXmlObjectSerializer));
+        return ds.ReadObject(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlSerializerBad.cs

@@ -0,0 +1,13 @@
+using System.Xml.Serialization;
+using System.IO;
+using System;
+
+class BadXmlSerializer
+{
+    public static object Deserialize(Type type, Stream s)
+    {
+        var ds = new XmlSerializer(type);
+        // BAD
+        return ds.Deserialize(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlSerializerGood.cs

@@ -0,0 +1,13 @@
+using System.Xml.Serialization;
+using System.IO;
+using System;
+
+class GoodXmlSerializer
+{
+    public static object Deserialize(Stream s)
+    {
+        // Good: type is hardcoded
+        var ds = new XmlSerializer(typeof(GoodXmlSerializer));
+        return ds.Deserialize(s);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs

@@ -0,0 +1,14 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization.Formatters.Binary;
+using System.IO;
+using System.Text;
+
+class BadBinaryFormatter
+{
+    public static object Deserialize(TextBox textBox)
+    {
+        var ds = new BinaryFormatter();
+        // BAD
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(textBox.Text)));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputGood.cs

@@ -0,0 +1,13 @@
+using System.Runtime.Serialization.Formatters.Binary;
+using System.IO;
+using System.Text;
+
+class GoodBinaryFormatter
+{
+    public static object Deserialize()
+    {
+        var ds = new BinaryFormatter();
+        // GOOD
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractJsonSerializerUntrustedInputBad.cs

@@ -0,0 +1,15 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System.Text;
+using System;
+
+class BadDataContractJsonSerializer
+{
+    public static object Deserialize(TextBox type, TextBox data)
+    {
+        var ds = new DataContractJsonSerializer(Type.GetType(type.Text));
+        // BAD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractJsonSerializerUntrustedInputGood.cs

@@ -0,0 +1,22 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization.Json;
+using System.IO;
+using System.Text;
+using System;
+
+class GoodDataContractJsonSerializer
+{
+    public static object Deserialize1(TextBox data)
+    {
+        // GOOD
+        var ds = new DataContractJsonSerializer(typeof(GoodDataContractJsonSerializer));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+
+    public static object Deserialize2(TextBox type)
+    {
+        var ds = new DataContractJsonSerializer(Type.GetType(type.Text));
+        // GOOD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractSerializerUntrustedInputBad.cs

@@ -0,0 +1,15 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class BadDataContractSerializer
+{
+    public static object Deserialize(TextBox type, TextBox data)
+    {
+        var ds = new DataContractSerializer(Type.GetType(type.Text));
+        // BAD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractSerializerUntrustedInputGood.cs

@@ -0,0 +1,22 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class GoodDataContractSerializer
+{
+    public static object Deserialize1(TextBox data)
+    {
+        // GOOD
+        var ds = new DataContractSerializer(typeof(GoodDataContractSerializer));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+
+    public static object Deserialize2(TextBox type)
+    {
+        var ds = new DataContractSerializer(Type.GetType(type.Text));
+        // GOOD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs

@@ -1 +1 @@
-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs
+// semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Serialization.Formatters.dll /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ResourceReaderUntrustedInputBad.cs

@@ -0,0 +1,19 @@
+using System.Web.UI.WebControls;
+using System.Resources;
+using System.IO;
+using System.Text;
+using System;
+
+class BadResourceReader
+{
+    public static void Deserialize(TextBox data)
+    {
+        var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        // BAD
+        var dict = ds.GetEnumerator();
+        while (dict.MoveNext())
+            Console.WriteLine("   {0}: '{1}' (Type {2})", 
+                            dict.Key, dict.Value, dict.Value.GetType().Name);
+        ds.Close();
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ResourceReaderUntrustedInputGood.cs

@@ -0,0 +1,19 @@
+using System.Web.UI.WebControls;
+using System.Resources;
+using System.IO;
+using System.Text;
+using System;
+
+class GoodResourceReader
+{
+    public static void Deserialize(TextBox data)
+    {
+        // GOOD
+        var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+        var dict = ds.GetEnumerator();
+        while (dict.MoveNext())
+            Console.WriteLine("   {0}: '{1}' (Type {2})", 
+                            dict.Key, dict.Value, dict.Value.GetType().Name);
+        ds.Close();
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected

@@ -1,7 +1,147 @@
 edges
+| BinaryFormatterUntrustedInputBad.cs:10:18:10:38 | object creation of type BinaryFormatter : BinaryFormatter | BinaryFormatterUntrustedInputBad.cs:12:16:12:17 | access to local variable ds |
+| BinaryFormatterUntrustedInputBad.cs:12:48:12:83 | call to method GetBytes : Byte[] | BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream |
+| BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | BinaryFormatterUntrustedInputBad.cs:12:71:12:82 | access to property Text : String |
+| BinaryFormatterUntrustedInputBad.cs:12:71:12:82 | access to property Text : String | BinaryFormatterUntrustedInputBad.cs:12:48:12:83 | call to method GetBytes : Byte[] |
+| BinaryFormatterUntrustedInputGood.cs:9:18:9:38 | object creation of type BinaryFormatter : BinaryFormatter | BinaryFormatterUntrustedInputGood.cs:11:16:11:17 | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputBad.cs:11:62:11:65 | access to parameter type : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:11:62:11:70 | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputBad.cs:11:62:11:70 | access to property Text : String | DataContractJsonSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| DataContractJsonSerializerUntrustedInputGood.cs:12:18:12:87 | object creation of type DataContractJsonSerializer : DataContractJsonSerializer | DataContractJsonSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | DataContractJsonSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | DataContractJsonSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| DataContractJsonSerializerUntrustedInputGood.cs:18:62:18:65 | access to parameter type : TextBox | DataContractJsonSerializerUntrustedInputGood.cs:18:62:18:70 | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputGood.cs:18:62:18:70 | access to property Text : String | DataContractJsonSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds |
+| DataContractSerializerUntrustedInputBad.cs:11:58:11:61 | access to parameter type : TextBox | DataContractSerializerUntrustedInputBad.cs:11:58:11:66 | access to property Text : String |
+| DataContractSerializerUntrustedInputBad.cs:11:58:11:66 | access to property Text : String | DataContractSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds |
+| DataContractSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream |
+| DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String |
+| DataContractSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | DataContractSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| DataContractSerializerUntrustedInputGood.cs:12:18:12:79 | object creation of type DataContractSerializer : DataContractSerializer | DataContractSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds |
+| DataContractSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | DataContractSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream |
+| DataContractSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | DataContractSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String |
+| DataContractSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | DataContractSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| DataContractSerializerUntrustedInputGood.cs:18:58:18:61 | access to parameter type : TextBox | DataContractSerializerUntrustedInputGood.cs:18:58:18:66 | access to property Text : String |
+| DataContractSerializerUntrustedInputGood.cs:18:58:18:66 | access to property Text : String | DataContractSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds |
+| ResourceReaderUntrustedInputBad.cs:11:54:11:86 | call to method GetBytes : Byte[] | ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream |
+| ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | ResourceReaderUntrustedInputBad.cs:11:77:11:85 | access to property Text : String |
+| ResourceReaderUntrustedInputBad.cs:11:77:11:85 | access to property Text : String | ResourceReaderUntrustedInputBad.cs:11:54:11:86 | call to method GetBytes : Byte[] |
+| UnsafeDeserializationUntrustedInputBad.cs:8:35:8:84 | object creation of type JavaScriptSerializer : JavaScriptSerializer | UnsafeDeserializationUntrustedInputBad.cs:10:16:10:17 | access to local variable sr |
 | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox : TextBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text |
+| UnsafeDeserializationUntrustedInputGood.cs:8:35:8:84 | object creation of type JavaScriptSerializer : JavaScriptSerializer | UnsafeDeserializationUntrustedInputGood.cs:10:16:10:17 | access to local variable sr |
+| XmlObjectSerializerUntrustedInputBad.cs:11:74:11:77 | access to parameter type : TextBox | XmlObjectSerializerUntrustedInputBad.cs:11:74:11:82 | access to property Text : String |
+| XmlObjectSerializerUntrustedInputBad.cs:11:74:11:82 | access to property Text : String | XmlObjectSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds |
+| XmlObjectSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | XmlObjectSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream |
+| XmlObjectSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | XmlObjectSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String |
+| XmlObjectSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | XmlObjectSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| XmlObjectSerializerUntrustedInputGood.cs:12:34:12:92 | object creation of type DataContractSerializer : DataContractSerializer | XmlObjectSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds |
+| XmlObjectSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | XmlObjectSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream |
+| XmlObjectSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | XmlObjectSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String |
+| XmlObjectSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | XmlObjectSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] |
+| XmlObjectSerializerUntrustedInputGood.cs:18:74:18:77 | access to parameter type : TextBox | XmlObjectSerializerUntrustedInputGood.cs:18:74:18:82 | access to property Text : String |
+| XmlObjectSerializerUntrustedInputGood.cs:18:74:18:82 | access to property Text : String | XmlObjectSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds |
+| XmlSerializerUntrustedInputBad.cs:11:49:11:52 | access to parameter type : TextBox | XmlSerializerUntrustedInputBad.cs:11:49:11:57 | access to property Text : String |
+| XmlSerializerUntrustedInputBad.cs:11:49:11:57 | access to property Text : String | XmlSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds |
+| XmlSerializerUntrustedInputBad.cs:13:48:13:80 | call to method GetBytes : Byte[] | XmlSerializerUntrustedInputBad.cs:13:31:13:81 | object creation of type MemoryStream |
+| XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String |
+| XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String | XmlSerializerUntrustedInputBad.cs:13:48:13:80 | call to method GetBytes : Byte[] |
+| XmlSerializerUntrustedInputGood.cs:12:18:12:61 | object creation of type XmlSerializer : XmlSerializer | XmlSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds |
+| XmlSerializerUntrustedInputGood.cs:13:48:13:80 | call to method GetBytes : Byte[] | XmlSerializerUntrustedInputGood.cs:13:31:13:81 | object creation of type MemoryStream |
+| XmlSerializerUntrustedInputGood.cs:13:71:13:74 | access to parameter data : TextBox | XmlSerializerUntrustedInputGood.cs:13:71:13:79 | access to property Text : String |
+| XmlSerializerUntrustedInputGood.cs:13:71:13:79 | access to property Text : String | XmlSerializerUntrustedInputGood.cs:13:48:13:80 | call to method GetBytes : Byte[] |
+| XmlSerializerUntrustedInputGood.cs:18:49:18:52 | access to parameter type : TextBox | XmlSerializerUntrustedInputGood.cs:18:49:18:57 | access to property Text : String |
+| XmlSerializerUntrustedInputGood.cs:18:49:18:57 | access to property Text : String | XmlSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds |
 nodes
+| BinaryFormatterUntrustedInputBad.cs:10:18:10:38 | object creation of type BinaryFormatter : BinaryFormatter | semmle.label | object creation of type BinaryFormatter : BinaryFormatter |
+| BinaryFormatterUntrustedInputBad.cs:12:16:12:17 | access to local variable ds | semmle.label | access to local variable ds |
+| BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| BinaryFormatterUntrustedInputBad.cs:12:48:12:83 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | semmle.label | access to parameter textBox : TextBox |
+| BinaryFormatterUntrustedInputBad.cs:12:71:12:82 | access to property Text : String | semmle.label | access to property Text : String |
+| BinaryFormatterUntrustedInputGood.cs:9:18:9:38 | object creation of type BinaryFormatter : BinaryFormatter | semmle.label | object creation of type BinaryFormatter : BinaryFormatter |
+| BinaryFormatterUntrustedInputGood.cs:11:16:11:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputBad.cs:11:62:11:65 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| DataContractJsonSerializerUntrustedInputBad.cs:11:62:11:70 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputGood.cs:12:18:12:87 | object creation of type DataContractJsonSerializer : DataContractJsonSerializer | semmle.label | object creation of type DataContractJsonSerializer : DataContractJsonSerializer |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| DataContractJsonSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputGood.cs:18:62:18:65 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| DataContractJsonSerializerUntrustedInputGood.cs:18:62:18:70 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractJsonSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractSerializerUntrustedInputBad.cs:11:58:11:61 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| DataContractSerializerUntrustedInputBad.cs:11:58:11:66 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| DataContractSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| DataContractSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractSerializerUntrustedInputGood.cs:12:18:12:79 | object creation of type DataContractSerializer : DataContractSerializer | semmle.label | object creation of type DataContractSerializer : DataContractSerializer |
+| DataContractSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| DataContractSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| DataContractSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| DataContractSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| DataContractSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractSerializerUntrustedInputGood.cs:18:58:18:61 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| DataContractSerializerUntrustedInputGood.cs:18:58:18:66 | access to property Text : String | semmle.label | access to property Text : String |
+| DataContractSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds | semmle.label | access to local variable ds |
+| ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| ResourceReaderUntrustedInputBad.cs:11:54:11:86 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| ResourceReaderUntrustedInputBad.cs:11:77:11:85 | access to property Text : String | semmle.label | access to property Text : String |
+| UnsafeDeserializationUntrustedInputBad.cs:8:35:8:84 | object creation of type JavaScriptSerializer : JavaScriptSerializer | semmle.label | object creation of type JavaScriptSerializer : JavaScriptSerializer |
+| UnsafeDeserializationUntrustedInputBad.cs:10:16:10:17 | access to local variable sr | semmle.label | access to local variable sr |
 | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox : TextBox | semmle.label | access to parameter textBox : TextBox |
 | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | semmle.label | access to property Text |
+| UnsafeDeserializationUntrustedInputGood.cs:8:35:8:84 | object creation of type JavaScriptSerializer : JavaScriptSerializer | semmle.label | object creation of type JavaScriptSerializer : JavaScriptSerializer |
+| UnsafeDeserializationUntrustedInputGood.cs:10:16:10:17 | access to local variable sr | semmle.label | access to local variable sr |
+| XmlObjectSerializerUntrustedInputBad.cs:11:74:11:77 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| XmlObjectSerializerUntrustedInputBad.cs:11:74:11:82 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlObjectSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| XmlObjectSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| XmlObjectSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| XmlObjectSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| XmlObjectSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlObjectSerializerUntrustedInputGood.cs:12:34:12:92 | object creation of type DataContractSerializer : DataContractSerializer | semmle.label | object creation of type DataContractSerializer : DataContractSerializer |
+| XmlObjectSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| XmlObjectSerializerUntrustedInputGood.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| XmlObjectSerializerUntrustedInputGood.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| XmlObjectSerializerUntrustedInputGood.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| XmlObjectSerializerUntrustedInputGood.cs:13:70:13:78 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlObjectSerializerUntrustedInputGood.cs:18:74:18:77 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| XmlObjectSerializerUntrustedInputGood.cs:18:74:18:82 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlObjectSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds | semmle.label | access to local variable ds |
+| XmlSerializerUntrustedInputBad.cs:11:49:11:52 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| XmlSerializerUntrustedInputBad.cs:11:49:11:57 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlSerializerUntrustedInputBad.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| XmlSerializerUntrustedInputBad.cs:13:31:13:81 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| XmlSerializerUntrustedInputBad.cs:13:48:13:80 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlSerializerUntrustedInputGood.cs:12:18:12:61 | object creation of type XmlSerializer : XmlSerializer | semmle.label | object creation of type XmlSerializer : XmlSerializer |
+| XmlSerializerUntrustedInputGood.cs:13:16:13:17 | access to local variable ds | semmle.label | access to local variable ds |
+| XmlSerializerUntrustedInputGood.cs:13:31:13:81 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
+| XmlSerializerUntrustedInputGood.cs:13:48:13:80 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| XmlSerializerUntrustedInputGood.cs:13:71:13:74 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
+| XmlSerializerUntrustedInputGood.cs:13:71:13:79 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlSerializerUntrustedInputGood.cs:18:49:18:52 | access to parameter type : TextBox | semmle.label | access to parameter type : TextBox |
+| XmlSerializerUntrustedInputGood.cs:18:49:18:57 | access to property Text : String | semmle.label | access to property Text : String |
+| XmlSerializerUntrustedInputGood.cs:20:16:20:17 | access to local variable ds | semmle.label | access to local variable ds |
 #select
-| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox : TextBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | $@ flows to unsafe deserializer. | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | User-provided data |
+| BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream | BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | BinaryFormatterUntrustedInputBad.cs:12:31:12:84 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | BinaryFormatterUntrustedInputBad.cs:12:71:12:77 | access to parameter textBox : TextBox | User-provided data |
+| DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
+| DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
+| ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream | ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | User-provided data |
+| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox : TextBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | $@ flows to unsafe deserializer. | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox : TextBox | User-provided data |
+| XmlObjectSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | XmlObjectSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | XmlObjectSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | XmlObjectSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
+| XmlSerializerUntrustedInputBad.cs:13:31:13:81 | object creation of type MemoryStream | XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | XmlSerializerUntrustedInputBad.cs:13:31:13:81 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | User-provided data |

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputGood.cs

@@ -5,8 +5,8 @@ class Good
 {
     public static object Deserialize(TextBox textBox)
     {
-        JavaScriptSerializer sr = new JavaScriptSerializer();
+        JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
         // GOOD
-        return sr.DeserializeObject(textBox.Text);
+        return sr.DeserializeObject("hardcoded");
     }
 }

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlObjectSerializerUntrustedInputBad.cs

@@ -0,0 +1,15 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class BadXmlObjectSerializer
+{
+    public static object Deserialize(TextBox type, TextBox data)
+    {
+        XmlObjectSerializer ds = new DataContractSerializer(Type.GetType(type.Text));
+        // BAD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlObjectSerializerUntrustedInputGood.cs

@@ -0,0 +1,22 @@
+using System.Web.UI.WebControls;
+using System.Runtime.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class GoodXmlObjectSerializer
+{
+    public static object Deserialize1(TextBox data)
+    {
+        // GOOD
+        XmlObjectSerializer ds = new DataContractSerializer(typeof(GoodXmlObjectSerializer));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+
+    public static object Deserialize2(TextBox type)
+    {
+        XmlObjectSerializer ds = new DataContractSerializer(Type.GetType(type.Text));
+        // GOOD
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputBad.cs

@@ -0,0 +1,15 @@
+using System.Web.UI.WebControls;
+using System.Xml.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class BadXmlSerializer
+{
+    public static object Deserialize(TextBox type, TextBox data)
+    {
+        var ds = new XmlSerializer(Type.GetType(type.Text));
+        // BAD
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputGood.cs

@@ -0,0 +1,22 @@
+using System.Web.UI.WebControls;
+using System.Xml.Serialization;
+using System.IO;
+using System.Text;
+using System;
+
+class GoodXmlSerializer
+{
+    public static object Deserialize1(TextBox data)
+    {
+        // GOOD
+        var ds = new XmlSerializer(typeof(GoodXmlSerializer));
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+    }
+
+    public static object Deserialize2(TextBox type)
+    {
+        var ds = new XmlSerializer(Type.GetType(type.Text));
+        // GOOD
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes("hardcoded")));
+    }
+}