hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Do not make such a strong security claim

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Owen Mansel-Chan
2026-05-07 10:58:35 +01:00
committed by GitHub
parent 427b73ec9d
commit f2ea3b98d8
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
View File

@@ -21,10 +21,11 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro
<p>
Note that a deserialization method is only dangerous if it can instantiate
arbitrary classes. Serialization frameworks that use a schema to instantiate
only expected, predefined types are generally safe and are not tracked by this
query. For example, Apache Avro's deserialization methods follow a schema and
therefore cannot instantiate arbitrary classes, making them safe to use even
with untrusted data.
only expected, predefined types are generally not tracked by this query. For
example, Apache Avro's deserialization methods follow a schema and are
therefore generally safe with respect to arbitrary-class-instantiation and
gadget-chain attacks when the schema is trusted and does not permit
user-controlled type resolution.
</p>
</overview>