For other CodeQL resources, including tutorials and examples, see the CodeQL documentation

UnsafeDeserializationQuery

Module UnsafeDeserializationQuery

Provides a taint-tracking configuration for reasoning about uncontrolled data in calls to unsafe deserializers (XML, JSON, XAML).


                                import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery

The default C# QL library.

JsonConvertTrackingConfig	DEPRECATED: Use `JsonConvertTracking` instead.
Sanitizer	A sanitizer for unsafe deserialization vulnerabilities.
Sink	A data flow sink for unsafe deserialization vulnerabilities.
Source	A data flow source for unsafe deserialization vulnerabilities.
TaintToConstructorOrStaticMethodTrackingConfig	DEPRECATED: Use `TaintToConstructorOrStaticMethodTracking` instead.
TaintToObjectMethodTrackingConfig	DEPRECATED: Use `TaintToObjectMethodTracking` instead.
TaintToObjectTypeTrackingConfig	DEPRECATED: Use `TaintToObjectTypeTracking` instead.
TypeNameTrackingConfig	DEPRECATED: Use `TypeNameTracking` instead.
WeakTypeCreationToUsageTrackingConfig	DEPRECATED: Use `WeakTypeCreationToUsageTracking` instead.

JsonConvertTracking	User input to `JsonConvert` call deserialization flow tracking module.
TaintToConstructorOrStaticMethodTracking	User input to static method or constructor call deserialization flow tracking module.
TaintToObjectMethodTracking	User input to object method call deserialization flow tracking module.
TaintToObjectTypeTracking	User input to instance type flow tracking module.
TypeNameTracking	Configuration module for tracking unsafe `TypeNameHandling` setting to `JsonConvert` calls.
WeakTypeCreationToUsageTracking	Unsafe deserializer creation to usage tracking module.