From 7aa3fd859a00db4714d3aa2d00d3f37a02603a63 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 7 May 2026 10:42:50 +0100 Subject: [PATCH 1/8] Remove double spaces from qhelp --- .../CWE/CWE-502/UnsafeDeserialization.qhelp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index bf7205d535ff..bf696b9e93cb 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -5,15 +5,15 @@

Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable -and in many cases allows an attacker to execute arbitrary code. Even before a +and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, -and finalizers. Automatic deserialization of fields means that an attacker may +and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.

-There are many different serialization frameworks. This query currently +There are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through ObjectInputStream/ObjectOutputStream. @@ -22,9 +22,9 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro

-Avoid deserialization of untrusted data if at all possible. If the +Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, -for example JSON or XML. However, these formats should not be deserialized +for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder. @@ -43,7 +43,7 @@ Recommendations specific to particular frameworks supported by this query:

  • Recommendation: Call com.alibaba.fastjson.parser.ParserConfig#setSafeMode with the argument true before deserializing untrusted data.

    • -

    FasterXML - com.fasterxml.jackson.core:jackson-databind

    +

    FasterXML - com.fasterxml.jackson.core:jackson-databind

    -

    ObjectInputStream - Java Standard Library

    +

    ObjectInputStream - Java Standard Library

    SnakeYAML - org.yaml:snakeyaml

    XML Decoder - Standard Java Library

    From 427b73ec9d0d0f963a601499a5ba351772862aab Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 7 May 2026 10:51:20 +0100 Subject: [PATCH 2/8] Clarify that deserialization that follows a schema is safe --- .../src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index bf696b9e93cb..65848104ae3c 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -18,6 +18,14 @@ supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, Hessian Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through ObjectInputStream/ObjectOutputStream.

    +

    +Note that a deserialization method is only dangerous if it can instantiate +arbitrary classes. Serialization frameworks that use a schema to instantiate +only expected, predefined types are generally safe and are not tracked by this +query. For example, Apache Avro's deserialization methods follow a schema and +therefore cannot instantiate arbitrary classes, making them safe to use even +with untrusted data. +

    From f2ea3b98d884a376a3b2c4e6f5a7c975a84b5bfb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Thu, 7 May 2026 10:58:35 +0100 Subject: [PATCH 3/8] Do not make such a strong security claim Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index 65848104ae3c..ff235670496c 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -21,10 +21,11 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro

    Note that a deserialization method is only dangerous if it can instantiate arbitrary classes. Serialization frameworks that use a schema to instantiate -only expected, predefined types are generally safe and are not tracked by this -query. For example, Apache Avro's deserialization methods follow a schema and -therefore cannot instantiate arbitrary classes, making them safe to use even -with untrusted data. +only expected, predefined types are generally not tracked by this query. For +example, Apache Avro's deserialization methods follow a schema and are +therefore generally safe with respect to arbitrary-class-instantiation and +gadget-chain attacks when the schema is trusted and does not permit +user-controlled type resolution.

    From e2874ac252a8e74fc9531986a3c03cdbcaf1833e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 8 May 2026 14:05:55 +0100 Subject: [PATCH 4/8] Python: Clarify that deserialization following a schema is safe --- .../ql/src/Security/CWE-502/UnsafeDeserialization.qhelp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp index 2c5afee586b1..1c1535857fca 100644 --- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp +++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp @@ -16,6 +16,14 @@ may have unforeseen effects, such as the execution of arbitrary code. There are many different serialization frameworks. This query currently supports Pickle, Marshal and Yaml.

    +

    +Note that a deserialization method is only dangerous if it can instantiate +arbitrary classes. Serialization frameworks that use a schema to instantiate +only expected, predefined types are generally not tracked by this query. Such +frameworks are generally safe with respect to arbitrary-class-instantiation and +gadget-chain attacks when the schema is trusted and does not permit +user-controlled type resolution. +

    From 4e47f7706dcea8509f6a870bbe889258c9baeb0a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 8 May 2026 14:06:07 +0100 Subject: [PATCH 5/8] C#: Clarify that deserialization following a schema is safe --- .../CWE-502/UnsafeDeserialization.qhelp | 9 +++++++++ .../CWE-502/UnsafeDeserializationUntrustedInput.qhelp | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp index 3c68b74a1d92..6daa28e2df78 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp @@ -7,6 +7,15 @@

    Deserializing an object from untrusted input may result in security problems, such as denial of service or remote code execution.

    +

    +Note that a deserialization method is only dangerous if it can instantiate +arbitrary classes. Serialization frameworks that use a schema to instantiate +only expected, predefined types are generally not tracked by this query. Such +frameworks are generally safe with respect to arbitrary-class-instantiation and +gadget-chain attacks when the schema is trusted and does not permit +user-controlled type resolution. +

    + diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp index 7c8781b15a17..26297f9c6bd0 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp @@ -7,6 +7,15 @@

    Deserializing an object from untrusted input may result in security problems, such as denial of service or remote code execution.

    +

    +Note that a deserialization method is only dangerous if it can instantiate +arbitrary classes. Serialization frameworks that use a schema to instantiate +only expected, predefined types are generally not tracked by this query. Such +frameworks are generally safe with respect to arbitrary-class-instantiation and +gadget-chain attacks when the schema is trusted and does not permit +user-controlled type resolution. +

    + From ed9477aac93fb04a1cf989b96151721180cc214a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 8 May 2026 14:06:16 +0100 Subject: [PATCH 6/8] Ruby: Clarify that deserialization following a schema is safe --- .../security/cwe-502/UnsafeDeserialization.qhelp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp index b84c7dce0677..6c875f889941 100644 --- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp +++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp @@ -7,6 +7,14 @@ Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.

    +

    +Note that a deserialization method is only dangerous if it can instantiate +arbitrary classes or objects. Serialization frameworks that use a schema to instantiate +only expected, predefined types are generally not tracked by this query. Such +frameworks are generally safe with respect to arbitrary-class-instantiation and +gadget-chain attacks when the schema is trusted and does not permit +user-controlled type resolution. +

    @@ -31,7 +39,7 @@ safely be used. If deserializing an untrusted XML document using the ox gem, do not use parse_obj and load using the non-default :object mode. Instead use the load method in the default mode or better explicitly set a safe -mode such as :hash. +mode such as :hash.

    From 93e05db394547c0e085baf6cfa299f4bbf9448d0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 8 May 2026 14:06:48 +0100 Subject: [PATCH 7/8] Python: remove doubles spaces from qhelp --- .../ql/src/Security/CWE-502/UnsafeDeserialization.qhelp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp index 1c1535857fca..08af6249f50a 100644 --- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp +++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp @@ -5,15 +5,15 @@

    Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable -and in many cases allows an attacker to execute arbitrary code. Even before a +and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, -and finalizers. Automatic deserialization of fields means that an attacker may +and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.

    -There are many different serialization frameworks. This query currently +There are many different serialization frameworks. This query currently supports Pickle, Marshal and Yaml.

    @@ -28,7 +28,7 @@ user-controlled type resolution.

    -Avoid deserialization of untrusted data if at all possible. If the +Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON.

    From a5ef036465492bf99e947f41c5fd47d4b87a9d2c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 8 May 2026 14:18:54 +0100 Subject: [PATCH 8/8] Note that common standard library types can be vulnerable to gadget-chain attacks --- .../src/Security Features/CWE-502/UnsafeDeserialization.qhelp | 4 +++- .../CWE-502/UnsafeDeserializationUntrustedInput.qhelp | 4 +++- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 4 +++- python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp | 4 +++- .../src/queries/security/cwe-502/UnsafeDeserialization.qhelp | 4 +++- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp index 6daa28e2df78..4cc76003fbf8 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp @@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

    diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp index 26297f9c6bd0..b2c123bed5c9 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp @@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

    diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index ff235670496c..a6d2d9936a5f 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -25,7 +25,9 @@ only expected, predefined types are generally not tracked by this query. For example, Apache Avro's deserialization methods follow a schema and are therefore generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

    diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp index 08af6249f50a..dea8a8794bb8 100644 --- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp +++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp @@ -22,7 +22,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.

    diff --git a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp index 6c875f889941..001f7ef1448c 100644 --- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp +++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp @@ -13,7 +13,9 @@ arbitrary classes or objects. Serialization frameworks that use a schema to inst only expected, predefined types are generally not tracked by this query. Such frameworks are generally safe with respect to arbitrary-class-instantiation and gadget-chain attacks when the schema is trusted and does not permit -user-controlled type resolution. +user-controlled type resolution. However, care must be taken to ensure the schema +strictly limits the allowed types. Permitting common standard library classes +can still leave the application vulnerable to gadget-chain attacks.