From c39e5a7d9709f59c3fdbb5e69ae189dd06f9f054 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Jul 2025 16:54:00 +0100 Subject: [PATCH 1/2] Update qhelp: SnakeYaml is safe from version 2.0 --- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index 087a873dfc77..8d76255fc733 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -64,8 +64,8 @@ Recommendations specific to particular frameworks supported by this query:

SnakeYAML - org.yaml:snakeyaml

Secure by Default: No
Recommendation: Pass an instance of org.yaml.snakeyaml.constructor.SafeConstructor to org.yaml.snakeyaml.Yaml's constructor before using it to deserialize untrusted data.
Secure by Default: As of version 2.0.
Recommendation: For versions before 2.0, pass an instance of org.yaml.snakeyaml.constructor.SafeConstructor to org.yaml.snakeyaml.Yaml's constructor before using it to deserialize untrusted data.

XML Decoder - Standard Java Library

From 9ef22fff8ead1738b78e820ba7313884dd38e6d0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 15 Jul 2025 15:27:01 +0100 Subject: [PATCH 2/2] Update SnakeYaml reference to note that it is outdated --- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index 8d76255fc733..bf7205d535ff 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -121,7 +121,7 @@ Alvaro Muñoz & Christian Schneider, RSAConference 2016:

SnakeYaml documentation on deserialization: -SnakeYaml deserialization. +SnakeYaml deserialization (not updated for new behaviour in version 2.0).

Hessian deserialization and related gadget chains: pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies: