YamlDotNet

2026-04-26 09:15:12 +02:00 · 2021-06-15 12:23:52 +03:00
parent 1e4409f9ed
commit f4cb6c50c0
2 changed files with 32 additions and 0 deletions
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
@@ -812,4 +812,18 @@ module UnsafeDeserialization {
      )
    }
  }
+
+  /** YamlDotNet */
+  private class YamlDotNetDeserializerDeserializeMethodSink extends ConstructorOrStaticMethodSink {
+    YamlDotNetDeserializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          not mc.getArgument(0).hasValue() and
+          m instanceof YamlDotNetDeserializerClasseserializeMethod
+        ) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
 }
--- a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
+++ b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
@@ -65,6 +65,8 @@ class WeakTypeDeserializer extends Class {
    this instanceof ServiceStackTextXmlSerializerClass
    or
    this instanceof SharpSerializerClass
+    or
+    this instanceof YamlDotNetDeserializerClass
  }
 }

@@ -639,3 +641,19 @@ class SharpSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
    this.hasName("Deserialize")
  }
 }
+
+/** YamlDotNet.Serialization.Deserializer */
+private class YamlDotNetDeserializerClass extends Class {
+  YamlDotNetDeserializerClass() { this.hasQualifiedName("YamlDotNet.Serialization.Deserializer") }
+}
+
+/** `YamlDotNet.Serialization.Deserializer.Deserialize` method */
+class YamlDotNetDeserializerClasseserializeMethod extends Method, UnsafeDeserializer {
+  YamlDotNetDeserializerClasseserializeMethod() {
+    exists(YamlDotNetDeserializerClass c |
+      this.getDeclaringType().getBaseClass*() = c and
+      this.hasName("Deserialize") and
+      c.getALocation().(Assembly).getVersion().getMajor() < 5
+    )
+  }
+}