CodeQL library for C#
codeql/csharp-all 5.4.1 (changelog, source)
Index
Search

Module Deserializers

Provides a library of known unsafe deserializers. See https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf.

Import path

import semmle.code.csharp.serialization.Deserializers

Imports

JsonNET

Definitions relating to the Json.NET package.

csharp

The default C# QL library.

Classes

ActivityLoadMethod

System.Workflow.ComponentModel.Activity.Load method

BinaryFormatterDeserializeMethod

System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize method

BinaryFormatterUnsafeDeserializeMethod

System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserialize method

BinaryFormatterUnsafeDeserializeMethodResponseMethod

System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserializeMethodResponse method

BinaryMessageFormatterReadMethod

System.Messaging.BinaryMessageFormatter.Read method

CsPicklerSerializerClassDeserializeMethod

MBrace.FsPickler.CsPicklerSerializer.Deserialize method

CsPicklerSerializerClassUnPickleMethod

MBrace.FsPickler.CsPicklerSerializer.UnPickle method

CsPicklerSerializerClassUnPickleOfStringMethod

MBrace.FsPickler.CsPicklerTextSerializer.UnPickleOfString method

DataContractJsonSerializerClass

DataContractJsonSerializer

DataContractJsonSerializerReadObjectMethod

System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject method

DataContractSerializerClass

DataContractSerializer

DataContractSerializerReadObjectMethod

System.Runtime.Serialization.DataContractSerializer.ReadObject method

FastJsonClassToObjectMethod

fastJSON.JSON.ToObject method

FsPicklerSerializerClassDeserializeMethod

MBrace.FsPickler.FsPicklerSerializer.Deserialize method

FsPicklerSerializerClassDeserializeSequenceMethod

MBrace.FsPickler.FsPicklerSerializer.DeserializeSequence method

FsPicklerSerializerClassDeserializeSequenceUntypedMethod

MBrace.FsPickler.FsPicklerSerializer.DeserializeSequenceUntyped method

FsPicklerSerializerClassDeserializeSiftedMethod

MBrace.FsPickler.FsPicklerSerializer.DeserializeSifted method

FsPicklerSerializerClassDeserializeUntypedMethod

MBrace.FsPickler.FsPicklerSerializer.DeserializeUntyped method

FsPicklerSerializerClassUnPickleMethod

MBrace.FsPickler.FsPicklerSerializer.UnPickle method

FsPicklerSerializerClassUnPickleSiftedMethod

MBrace.FsPickler.FsPicklerSerializer.UnPickleSifted method

FsPicklerSerializerClassUnPickleUntypedMethod

MBrace.FsPickler.FsPicklerSerializer.UnPickleUntyped method

JavaScriptSerializerClass

JavaScriptSerializer

JavaScriptSerializerClassDeserializeMethod

System.Web.Script.Serialization.JavaScriptSerializer.Deserialize method

JavaScriptSerializerClassDeserializeObjectMethod

System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject method

JaysonConverterToObjectMethod

Sweet.Jayson.JaysonConverter.ToObject method

LosFormatterDeserializeMethod

System.Web.UI.LosFormatter.Deserialize method

NetDataContractSerializerClass

NetDataContractSerializer

NetDataContractSerializerDeserializeMethod

System.Runtime.Serialization.NetDataContractSerializer.Deserialize method

NetDataContractSerializerReadObjectMethod

System.Runtime.Serialization.NetDataContractSerializer.ReadObject method

NewtonsoftJsonConvertClassDeserializeObjectMethod

Newtonsoft.Json.JsonConvert.DeserializeObject method

ObjectStateFormatterDeserializeMethod

System.Web.UI.ObjectStateFormatter.Deserialize method

ProxyObjectDecodeSerializedObjectMethod

Microsoft.Web.Design.Remote.ProxyObject.DecodeSerializedObject method

ProxyObjectDecodeValueMethod

Microsoft.Web.Design.Remote.ProxyObject.DecodeValue method

ResourceReaderConstructor

System.Resources.ResourceReader constructor

ServiceStackTextCsvSerializerDeserializeFromReaderMethod

ServiceStack.Text.TypeSeriCsvSerializeralizer.DeserializeFromReader method

ServiceStackTextCsvSerializerDeserializeFromStreamMethod

ServiceStack.Text.CsvSerializer.DeserializeFromStream method

ServiceStackTextCsvSerializerDeserializeFromStringMethod

ServiceStack.Text.CsvSerializer.DeserializeFromString method

ServiceStackTextJsonSerializerDeserializeFromReaderMethod

ServiceStack.Text.JsonSerializer.DeserializeFromReader method

ServiceStackTextJsonSerializerDeserializeFromStreamMethod

ServiceStack.Text.JsonSerializer.DeserializeFromStream method

ServiceStackTextJsonSerializerDeserializeFromStringMethod

ServiceStack.Text.JsonSerializer.DeserializeFromString method

ServiceStackTextTypeSerializerDeserializeFromReaderMethod

ServiceStack.Text.TypeSerializer.DeserializeFromReader method

ServiceStackTextTypeSerializerDeserializeFromStreamMethod

ServiceStack.Text.TypeSerializer.DeserializeFromStream method

ServiceStackTextTypeSerializerDeserializeFromStringMethod

ServiceStack.Text.TypeSerializer.DeserializeFromString method

ServiceStackTextXmlSerializerDeserializeFromReaderMethod

ServiceStack.Text.XmlSerializer.DeserializeFromReader method

ServiceStackTextXmlSerializerDeserializeFromStreamMethod

ServiceStack.Text.XmlSerializer.DeserializeFromStream method

ServiceStackTextXmlSerializerDeserializeFromStringMethod

ServiceStack.Text.XmlSerializer.DeserializeFromString method

SharpSerializerClassDeserializeMethod

Polenter.Serialization.SharpSerializer.Deserialize method

SoapFormatterDeserializeMethod

System.Runtime.Serialization.Formatters.Soap.SoapFormatter.Deserialize method

StrongTypeDeserializer

A deserializer exploitable only if user controls the expected object type.

UnsafeDeserializer

An unsafe deserializer.

WeakTypeDeserializer

A deserializer that doesn’t make strong expected type check.

XamlReaderLoadAsyncMethod

System.Windows.Markup.XamlReader.LoadAsync method

XamlReaderLoadMethod

System.Windows.Markup.XamlReader.Load method

XamlReaderParseMethod

System.Windows.Markup.XamlReader.Parse method

XmlMessageFormatterClass

XmlMessageFormatter

XmlMessageFormatterReadMethod

System.Messaging.XmlMessageFormatter.Read method

XmlObjectSerializerClass

XmlObjectSerializer

XmlObjectSerializerReadObjectMethod

System.Runtime.Serialization.XmlObjectSerializer.ReadObject method

XmlSerializerClass

XmlSerializer

XmlSerializerDeserializeMethod

System.Xml.Serialization.XmlSerializer.Deserialize method

YamlDotNetDeserializerClasseserializeMethod

YamlDotNet.Serialization.Deserializer.Deserialize method

Aliases

FsPicklerSerializerClasDeserializeSiftedMethod

DEPRECATED: Use FsPicklerSerializerClassDeserializeSiftedMethod instead.