bchurchill
commented
6 years ago If you could put together a comprehensive list of deserializers that you know about it shouldn't be hard to add these in.
Open jessehouwing opened 7 years ago
bchurchill
commented
6 years ago If you could put together a comprehensive list of deserializers that you know about it shouldn't be hard to add these in.
jessehouwing
commented
6 years ago It'd not the deserializers themselves that are necessarily unsafe. It's how they're used. E.g. When supplying the expected type things become safer than when you're de serializing into an arbitrary object.
On 23 Jan 2018 09:37, "Berkeley Churchill" notifications@github.com wrote:
If you could put together a comprehensive list of deserializers that you know about it shouldn't be hard to add these in.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet-security-guard/roslyn-security-guard/issues/86#issuecomment-359716954, or mute the thread https://github.com/notifications/unsubscribe-auth/AD-uS0YpMUDFORk6Lg-EQdOI7t5jzP1Wks5tNZozgaJpZM4O8WLH .
This article/preso lists a number of attack vectors against JSON serializers. it would b enice if these were detected:
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf