Warnings on deserialization where only one argument of two is tainted

[JarLob]

For some deserializers like XmlSerializer and DataContractSerializer both type and serialized data have to be tainted to make it exploitable. Currently it gives false positives if only one is:

var deserializer = new XmlSerializer(typeof(MyType));
var my  = deserializer.Deserialize(input) as MyType;

It doesn't mean the MyType cannot be used as a gadget, the class should be investigated further.

• [ ] Keep current behavior for Auditing mode
• [ ] Show the warning only if both arguments are tainted

[JarLob]

Also consider the example:

        public T Deserialize<T>(string xmlString)
        {
            var serializer = new XmlSerializer(typeof(T));
            StringReader reader = new StringReader(xmlString);
            return (T) serial.Deserialize(reader);
        }

It is tricky to call the function with non-hardcoded T, but can be done with reflection. Thus typeof(T) could be considered unsafe in Audit Mode only.