From ed9477aac93fb04a1cf989b96151721180cc214a Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 8 May 2026 14:06:16 +0100
Subject: [PATCH] Ruby: Clarify that deserialization following a schema is safe

---
 .../security/cwe-502/UnsafeDeserialization.qhelp       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
index b84c7dce067..6c875f88994 100644
--- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
+++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
@@ -7,6 +7,14 @@ Deserializing untrusted data using any method that allows the construction of
 arbitrary objects is easily exploitable and, in many cases, allows an attacker
 to execute arbitrary code.
 </p>
+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes or objects. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
+</p>
 </overview>
 
 <recommendation>
@@ -31,7 +39,7 @@ safely be used.
 If deserializing an untrusted XML document using the <code>ox</code> gem,
 do not use <code>parse_obj</code> and <code>load</code> using the non-default :object mode.
 Instead use the <code>load</code> method in the default mode or better explicitly set a safe
-mode such as :hash. 
+mode such as :hash.
 </p>
 
 <p>