Note that common standard library types can be vulnerable to gadget-chain attacks

Author: owen-mc

csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp

@@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate
 only expected, predefined types are generally not tracked by this query. Such
 frameworks are generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 
 </overview>

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp

@@ -13,7 +13,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate
 only expected, predefined types are generally not tracked by this query. Such
 frameworks are generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 
 </overview>

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -25,7 +25,9 @@ only expected, predefined types are generally not tracked by this query. For
 example, Apache Avro's deserialization methods follow a schema and are
 therefore generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 </overview>
 

python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp

@@ -22,7 +22,9 @@ arbitrary classes. Serialization frameworks that use a schema to instantiate
 only expected, predefined types are generally not tracked by this query. Such
 frameworks are generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 </overview>
 

ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp

@@ -13,7 +13,9 @@ arbitrary classes or objects. Serialization frameworks that use a schema to inst
 only expected, predefined types are generally not tracked by this query. Such
 frameworks are generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 </overview>