add comments

edvraa · edvraa · commit 18a3e4d45b23 · 2021-04-27T22:10:04.000+03:00
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
@@ -47,11 +47,11 @@ module UnsafeDeserialization {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  class RemoteSource extends Source {
+  private class RemoteSource extends Source {
     RemoteSource() { this instanceof RemoteFlowSource }
   }
 
-  class LocalSource extends Source {
+  private class LocalSource extends Source {
     LocalSource() { this instanceof LocalFlowSource }
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
@@ -81,20 +81,23 @@ private class BinaryFormatterClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize` method */
 class BinaryFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   BinaryFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
     this.hasName("Deserialize")
   }
 }
 
+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserialize` method */
 class BinaryFormatterUnsafeDeserializeMethod extends Method, UnsafeDeserializer {
   BinaryFormatterUnsafeDeserializeMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
     this.hasName("UnsafeDeserialize")
   }
 }
 
+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserializeMethodResponse` method */
 class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method, UnsafeDeserializer {
   BinaryFormatterUnsafeDeserializeMethodResponseMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
@@ -109,6 +112,7 @@ private class SoapFormatterClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.Formatters.Soap.SoapFormatter.Deserialize` method */
 class SoapFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   SoapFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof SoapFormatterClass and
@@ -121,6 +125,7 @@ private class ObjectStateFormatterClass extends Class {
   ObjectStateFormatterClass() { this.hasQualifiedName("System.Web.UI.ObjectStateFormatter") }
 }
 
+/** `System.Web.UI.ObjectStateFormatter.Deserialize` method */
 class ObjectStateFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   ObjectStateFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof ObjectStateFormatterClass and
@@ -135,13 +140,15 @@ class NetDataContractSerializerClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.NetDataContractSerializer.Deserialize` method */
 class NetDataContractSerializerDeserializeMethod extends Method, UnsafeDeserializer {
   NetDataContractSerializerDeserializeMethod() {
     this.getDeclaringType() instanceof NetDataContractSerializerClass and
     this.hasName("Deserialize")
   }
 }
 
+/** `System.Runtime.Serialization.NetDataContractSerializer.ReadObject` method */
 class NetDataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   NetDataContractSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof NetDataContractSerializerClass and
@@ -156,6 +163,7 @@ class DataContractJsonSerializerClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject` method */
 class DataContractJsonSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   DataContractJsonSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof DataContractJsonSerializerClass and
@@ -170,13 +178,15 @@ class JavaScriptSerializerClass extends Class {
   }
 }
 
+/** `System.Web.Script.Serialization.JavaScriptSerializer.Deserialize` method */
 class JavaScriptSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
   JavaScriptSerializerClassDeserializeMethod() {
     this.getDeclaringType() instanceof JavaScriptSerializerClass and
     this.hasName("Deserialize")
   }
 }
 
+/** `System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject` method */
 class JavaScriptSerializerClassDeserializeObjectMethod extends Method, UnsafeDeserializer {
   JavaScriptSerializerClassDeserializeObjectMethod() {
     this.getDeclaringType() instanceof JavaScriptSerializerClass and
@@ -191,6 +201,7 @@ class XmlObjectSerializerClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.XmlObjectSerializer.ReadObject` method */
 class XmlObjectSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   XmlObjectSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof XmlObjectSerializerClass and
@@ -203,6 +214,7 @@ class XmlSerializerClass extends Class {
   XmlSerializerClass() { this.hasQualifiedName("System.Xml.Serialization.XmlSerializer") }
 }
 
+/** `System.Xml.Serialization.XmlSerializer.Deserialize` method */
 class XmlSerializerDeserializeMethod extends Method, UnsafeDeserializer {
   XmlSerializerDeserializeMethod() {
     this.getDeclaringType() instanceof XmlSerializerClass and
@@ -217,6 +229,7 @@ class DataContractSerializerClass extends Class {
   }
 }
 
+/** `System.Runtime.Serialization.DataContractSerializer.ReadObject` method */
 class DataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   DataContractSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof DataContractSerializerClass and
@@ -229,6 +242,7 @@ class XmlMessageFormatterClass extends Class {
   XmlMessageFormatterClass() { this.hasQualifiedName("System.Messaging.XmlMessageFormatter") }
 }
 
+/** `System.Messaging.XmlMessageFormatter.Read` method */
 class XmlMessageFormatterReadMethod extends Method, UnsafeDeserializer {
   XmlMessageFormatterReadMethod() {
     this.getDeclaringType() instanceof XmlMessageFormatterClass and
@@ -241,6 +255,7 @@ private class LosFormatterClass extends Class {
   LosFormatterClass() { this.hasQualifiedName("System.Web.UI.LosFormatter") }
 }
 
+/** `System.Web.UI.LosFormatter.Deserialize` method */
 class LosFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   LosFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof LosFormatterClass and
@@ -253,6 +268,7 @@ private class FastJsonClass extends Class {
   FastJsonClass() { this.hasQualifiedName("fastJSON.JSON") }
 }
 
+/** `fastJSON.JSON.ToObject` method */
 class FastJsonClassToObjectMethod extends Method, UnsafeDeserializer {
   FastJsonClassToObjectMethod() {
     this.getDeclaringType() instanceof FastJsonClass and
@@ -266,6 +282,7 @@ private class ActivityClass extends Class {
   ActivityClass() { this.hasQualifiedName("System.Workflow.ComponentModel.Activity") }
 }
 
+/** `System.Workflow.ComponentModel.Activity.Load` method */
 class ActivityLoadMethod extends Method, UnsafeDeserializer {
   ActivityLoadMethod() {
     this.getDeclaringType() instanceof ActivityClass and
@@ -278,6 +295,7 @@ private class ResourceReaderClass extends Class {
   ResourceReaderClass() { this.hasQualifiedName("System.Resources.ResourceReader") }
 }
 
+/** `System.Resources.ResourceReader` constructor */
 class ResourceReaderConstructor extends Constructor, UnsafeDeserializer {
   ResourceReaderConstructor() {
     this.getDeclaringType() instanceof ResourceReaderClass and
@@ -290,6 +308,7 @@ private class BinaryMessageFormatterClass extends Class {
   BinaryMessageFormatterClass() { this.hasQualifiedName("System.Messaging.BinaryMessageFormatter") }
 }
 
+/** `System.Messaging.BinaryMessageFormatter.Read` method */
 class BinaryMessageFormatterReadMethod extends Method, UnsafeDeserializer {
   BinaryMessageFormatterReadMethod() {
     this.getDeclaringType() instanceof BinaryMessageFormatterClass and
@@ -302,6 +321,7 @@ private class XamlReaderClass extends Class {
   XamlReaderClass() { this.hasQualifiedName("System.Windows.Markup.XamlReader") }
 }
 
+/** `System.Windows.Markup.XamlReader.Parse` method */
 class XamlReaderParseMethod extends Method, UnsafeDeserializer {
   XamlReaderParseMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
@@ -310,6 +330,7 @@ class XamlReaderParseMethod extends Method, UnsafeDeserializer {
   }
 }
 
+/** `System.Windows.Markup.XamlReader.Load` method */
 class XamlReaderLoadMethod extends Method, UnsafeDeserializer {
   XamlReaderLoadMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
@@ -318,6 +339,7 @@ class XamlReaderLoadMethod extends Method, UnsafeDeserializer {
   }
 }
 
+/** `System.Windows.Markup.XamlReader.LoadAsync` method */
 class XamlReaderLoadAsyncMethod extends Method, UnsafeDeserializer {
   XamlReaderLoadAsyncMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
@@ -330,13 +352,15 @@ private class ProxyObjectClass extends Class {
   ProxyObjectClass() { this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject") }
 }
 
+/** `Microsoft.Web.Design.Remote.ProxyObject.DecodeValue` method */
 class ProxyObjectDecodeValueMethod extends Method, UnsafeDeserializer {
   ProxyObjectDecodeValueMethod() {
     this.getDeclaringType() instanceof ProxyObjectClass and
     this.hasName("DecodeValue")
   }
 }
 
+/** `Microsoft.Web.Design.Remote.ProxyObject.DecodeSerializedObject` method */
 class ProxyObjectDecodeSerializedObjectMethod extends Method, UnsafeDeserializer {
   ProxyObjectDecodeSerializedObjectMethod() {
     this.getDeclaringType() instanceof ProxyObjectClass and
@@ -349,6 +373,7 @@ private class JaysonConverterClass extends Class {
   JaysonConverterClass() { this.hasQualifiedName("Sweet.Jayson.JaysonConverter") }
 }
 
+/** `Sweet.Jayson.JaysonConverter.ToObject` method */
 class JaysonConverterToObjectMethod extends Method, UnsafeDeserializer {
   JaysonConverterToObjectMethod() {
     this.getDeclaringType() instanceof JaysonConverterClass and
@@ -364,6 +389,7 @@ private class ServiceStackTextJsonSerializerClass extends Class {
   }
 }
 
+/** `ServiceStack.Text.JsonSerializer.DeserializeFromString` method */
 class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
@@ -372,6 +398,7 @@ class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method,
   }
 }
 
+/** `ServiceStack.Text.JsonSerializer.DeserializeFromReader` method */
 class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
@@ -380,6 +407,7 @@ class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method,
   }
 }
 
+/** `ServiceStack.Text.JsonSerializer.DeserializeFromStream` method */
 class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
@@ -395,6 +423,7 @@ private class ServiceStackTextTypeSerializerClass extends Class {
   }
 }
 
+/** `ServiceStack.Text.TypeSerializer.DeserializeFromString` method */
 class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
@@ -403,6 +432,7 @@ class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method,
   }
 }
 
+/** `ServiceStack.Text.TypeSerializer.DeserializeFromReader` method */
 class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
@@ -411,6 +441,7 @@ class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method,
   }
 }
 
+/** `ServiceStack.Text.TypeSerializer.DeserializeFromStream` method */
 class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
@@ -424,6 +455,7 @@ private class ServiceStackTextCsvSerializerClass extends Class {
   ServiceStackTextCsvSerializerClass() { this.hasQualifiedName("ServiceStack.Text.CsvSerializer") }
 }
 
+/** `ServiceStack.Text.CsvSerializer.DeserializeFromString` method */
 class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
@@ -432,6 +464,7 @@ class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, U
   }
 }
 
+/** `ServiceStack.Text.TypeSeriCsvSerializeralizer.DeserializeFromReader` method */
 class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
@@ -440,6 +473,7 @@ class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, U
   }
 }
 
+/** `ServiceStack.Text.CsvSerializer.DeserializeFromStream` method */
 class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
@@ -453,6 +487,7 @@ private class ServiceStackTextXmlSerializerClass extends Class {
   ServiceStackTextXmlSerializerClass() { this.hasQualifiedName("ServiceStack.Text.XmlSerializer") }
 }
 
+/** `ServiceStack.Text.XmlSerializer.DeserializeFromString` method */
 class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
@@ -461,6 +496,7 @@ class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, U
   }
 }
 
+/** `ServiceStack.Text.XmlSerializer.DeserializeFromReader` method */
 class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
@@ -469,6 +505,7 @@ class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, U
   }
 }
 
+/** `ServiceStack.Text.XmlSerializer.DeserializeFromStream` method */
 class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and

Original file line number	Diff line number	Diff line change
`@@ -47,11 +47,11 @@ module UnsafeDeserialization {`
`47`	`47`	`*/`
`48`	`48`	`abstract class Sanitizer extends DataFlow::Node { }`
`49`	`49`
`50`		`- class RemoteSource extends Source {`
	`50`	`+ private class RemoteSource extends Source {`
`51`	`51`	`RemoteSource() { this instanceof RemoteFlowSource }`
`52`	`52`	`}`
`53`	`53`
`54`		`- class LocalSource extends Source {`
	`54`	`+ private class LocalSource extends Source {`
`55`	`55`	`LocalSource() { this instanceof LocalFlowSource }`
`56`	`56`	`}`
`57`	`57`
Original file line number	Diff line number	Diff line change
`@@ -81,20 +81,23 @@ private class BinaryFormatterClass extends Class {`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`
	`84`	+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize` method */
`84`	`85`	`class BinaryFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`85`	`86`	`BinaryFormatterDeserializeMethod() {`
`86`	`87`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`87`	`88`	`this.hasName("Deserialize")`
`88`	`89`	`}`
`89`	`90`	`}`
`90`	`91`
	`92`	+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserialize` method */
`91`	`93`	`class BinaryFormatterUnsafeDeserializeMethod extends Method, UnsafeDeserializer {`
`92`	`94`	`BinaryFormatterUnsafeDeserializeMethod() {`
`93`	`95`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`94`	`96`	`this.hasName("UnsafeDeserialize")`
`95`	`97`	`}`
`96`	`98`	`}`
`97`	`99`
	`100`	+/** `System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.UnsafeDeserializeMethodResponse` method */
`98`	`101`	`class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method, UnsafeDeserializer {`
`99`	`102`	`BinaryFormatterUnsafeDeserializeMethodResponseMethod() {`
`100`	`103`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`@@ -109,6 +112,7 @@ private class SoapFormatterClass extends Class {`
`109`	`112`	`}`
`110`	`113`	`}`
`111`	`114`
	`115`	+/** `System.Runtime.Serialization.Formatters.Soap.SoapFormatter.Deserialize` method */
`112`	`116`	`class SoapFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`113`	`117`	`SoapFormatterDeserializeMethod() {`
`114`	`118`	`this.getDeclaringType() instanceof SoapFormatterClass and`
`@@ -121,6 +125,7 @@ private class ObjectStateFormatterClass extends Class {`
`121`	`125`	`ObjectStateFormatterClass() { this.hasQualifiedName("System.Web.UI.ObjectStateFormatter") }`
`122`	`126`	`}`
`123`	`127`
	`128`	+/** `System.Web.UI.ObjectStateFormatter.Deserialize` method */
`124`	`129`	`class ObjectStateFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`125`	`130`	`ObjectStateFormatterDeserializeMethod() {`
`126`	`131`	`this.getDeclaringType() instanceof ObjectStateFormatterClass and`
`@@ -135,13 +140,15 @@ class NetDataContractSerializerClass extends Class {`
`135`	`140`	`}`
`136`	`141`	`}`
`137`	`142`
	`143`	+/** `System.Runtime.Serialization.NetDataContractSerializer.Deserialize` method */
`138`	`144`	`class NetDataContractSerializerDeserializeMethod extends Method, UnsafeDeserializer {`
`139`	`145`	`NetDataContractSerializerDeserializeMethod() {`
`140`	`146`	`this.getDeclaringType() instanceof NetDataContractSerializerClass and`
`141`	`147`	`this.hasName("Deserialize")`
`142`	`148`	`}`
`143`	`149`	`}`
`144`	`150`
	`151`	+/** `System.Runtime.Serialization.NetDataContractSerializer.ReadObject` method */
`145`	`152`	`class NetDataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`146`	`153`	`NetDataContractSerializerReadObjectMethod() {`
`147`	`154`	`this.getDeclaringType() instanceof NetDataContractSerializerClass and`
`@@ -156,6 +163,7 @@ class DataContractJsonSerializerClass extends Class {`
`156`	`163`	`}`
`157`	`164`	`}`
`158`	`165`
	`166`	+/** `System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject` method */
`159`	`167`	`class DataContractJsonSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`160`	`168`	`DataContractJsonSerializerReadObjectMethod() {`
`161`	`169`	`this.getDeclaringType() instanceof DataContractJsonSerializerClass and`
`@@ -170,13 +178,15 @@ class JavaScriptSerializerClass extends Class {`
`170`	`178`	`}`
`171`	`179`	`}`
`172`	`180`
	`181`	+/** `System.Web.Script.Serialization.JavaScriptSerializer.Deserialize` method */
`173`	`182`	`class JavaScriptSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {`
`174`	`183`	`JavaScriptSerializerClassDeserializeMethod() {`
`175`	`184`	`this.getDeclaringType() instanceof JavaScriptSerializerClass and`
`176`	`185`	`this.hasName("Deserialize")`
`177`	`186`	`}`
`178`	`187`	`}`
`179`	`188`
	`189`	+/** `System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject` method */
`180`	`190`	`class JavaScriptSerializerClassDeserializeObjectMethod extends Method, UnsafeDeserializer {`
`181`	`191`	`JavaScriptSerializerClassDeserializeObjectMethod() {`
`182`	`192`	`this.getDeclaringType() instanceof JavaScriptSerializerClass and`
`@@ -191,6 +201,7 @@ class XmlObjectSerializerClass extends Class {`
`191`	`201`	`}`
`192`	`202`	`}`
`193`	`203`
	`204`	+/** `System.Runtime.Serialization.XmlObjectSerializer.ReadObject` method */
`194`	`205`	`class XmlObjectSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`195`	`206`	`XmlObjectSerializerReadObjectMethod() {`
`196`	`207`	`this.getDeclaringType() instanceof XmlObjectSerializerClass and`
`@@ -203,6 +214,7 @@ class XmlSerializerClass extends Class {`
`203`	`214`	`XmlSerializerClass() { this.hasQualifiedName("System.Xml.Serialization.XmlSerializer") }`
`204`	`215`	`}`
`205`	`216`
	`217`	+/** `System.Xml.Serialization.XmlSerializer.Deserialize` method */
`206`	`218`	`class XmlSerializerDeserializeMethod extends Method, UnsafeDeserializer {`
`207`	`219`	`XmlSerializerDeserializeMethod() {`
`208`	`220`	`this.getDeclaringType() instanceof XmlSerializerClass and`
`@@ -217,6 +229,7 @@ class DataContractSerializerClass extends Class {`
`217`	`229`	`}`
`218`	`230`	`}`
`219`	`231`
	`232`	+/** `System.Runtime.Serialization.DataContractSerializer.ReadObject` method */
`220`	`233`	`class DataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`221`	`234`	`DataContractSerializerReadObjectMethod() {`
`222`	`235`	`this.getDeclaringType() instanceof DataContractSerializerClass and`
`@@ -229,6 +242,7 @@ class XmlMessageFormatterClass extends Class {`
`229`	`242`	`XmlMessageFormatterClass() { this.hasQualifiedName("System.Messaging.XmlMessageFormatter") }`
`230`	`243`	`}`
`231`	`244`
	`245`	+/** `System.Messaging.XmlMessageFormatter.Read` method */
`232`	`246`	`class XmlMessageFormatterReadMethod extends Method, UnsafeDeserializer {`
`233`	`247`	`XmlMessageFormatterReadMethod() {`
`234`	`248`	`this.getDeclaringType() instanceof XmlMessageFormatterClass and`
`@@ -241,6 +255,7 @@ private class LosFormatterClass extends Class {`
`241`	`255`	`LosFormatterClass() { this.hasQualifiedName("System.Web.UI.LosFormatter") }`
`242`	`256`	`}`
`243`	`257`
	`258`	+/** `System.Web.UI.LosFormatter.Deserialize` method */
`244`	`259`	`class LosFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`245`	`260`	`LosFormatterDeserializeMethod() {`
`246`	`261`	`this.getDeclaringType() instanceof LosFormatterClass and`
`@@ -253,6 +268,7 @@ private class FastJsonClass extends Class {`
`253`	`268`	`FastJsonClass() { this.hasQualifiedName("fastJSON.JSON") }`
`254`	`269`	`}`
`255`	`270`
	`271`	+/** `fastJSON.JSON.ToObject` method */
`256`	`272`	`class FastJsonClassToObjectMethod extends Method, UnsafeDeserializer {`
`257`	`273`	`FastJsonClassToObjectMethod() {`
`258`	`274`	`this.getDeclaringType() instanceof FastJsonClass and`
`@@ -266,6 +282,7 @@ private class ActivityClass extends Class {`
`266`	`282`	`ActivityClass() { this.hasQualifiedName("System.Workflow.ComponentModel.Activity") }`
`267`	`283`	`}`
`268`	`284`
	`285`	+/** `System.Workflow.ComponentModel.Activity.Load` method */
`269`	`286`	`class ActivityLoadMethod extends Method, UnsafeDeserializer {`
`270`	`287`	`ActivityLoadMethod() {`
`271`	`288`	`this.getDeclaringType() instanceof ActivityClass and`
`@@ -278,6 +295,7 @@ private class ResourceReaderClass extends Class {`
`278`	`295`	`ResourceReaderClass() { this.hasQualifiedName("System.Resources.ResourceReader") }`
`279`	`296`	`}`
`280`	`297`
	`298`	+/** `System.Resources.ResourceReader` constructor */
`281`	`299`	`class ResourceReaderConstructor extends Constructor, UnsafeDeserializer {`
`282`	`300`	`ResourceReaderConstructor() {`
`283`	`301`	`this.getDeclaringType() instanceof ResourceReaderClass and`
`@@ -290,6 +308,7 @@ private class BinaryMessageFormatterClass extends Class {`
`290`	`308`	`BinaryMessageFormatterClass() { this.hasQualifiedName("System.Messaging.BinaryMessageFormatter") }`
`291`	`309`	`}`
`292`	`310`
	`311`	+/** `System.Messaging.BinaryMessageFormatter.Read` method */
`293`	`312`	`class BinaryMessageFormatterReadMethod extends Method, UnsafeDeserializer {`
`294`	`313`	`BinaryMessageFormatterReadMethod() {`
`295`	`314`	`this.getDeclaringType() instanceof BinaryMessageFormatterClass and`
`@@ -302,6 +321,7 @@ private class XamlReaderClass extends Class {`
`302`	`321`	`XamlReaderClass() { this.hasQualifiedName("System.Windows.Markup.XamlReader") }`
`303`	`322`	`}`
`304`	`323`
	`324`	+/** `System.Windows.Markup.XamlReader.Parse` method */
`305`	`325`	`class XamlReaderParseMethod extends Method, UnsafeDeserializer {`
`306`	`326`	`XamlReaderParseMethod() {`
`307`	`327`	`this.getDeclaringType() instanceof XamlReaderClass and`
`@@ -310,6 +330,7 @@ class XamlReaderParseMethod extends Method, UnsafeDeserializer {`
`310`	`330`	`}`
`311`	`331`	`}`
`312`	`332`
	`333`	+/** `System.Windows.Markup.XamlReader.Load` method */
`313`	`334`	`class XamlReaderLoadMethod extends Method, UnsafeDeserializer {`
`314`	`335`	`XamlReaderLoadMethod() {`
`315`	`336`	`this.getDeclaringType() instanceof XamlReaderClass and`
`@@ -318,6 +339,7 @@ class XamlReaderLoadMethod extends Method, UnsafeDeserializer {`
`318`	`339`	`}`
`319`	`340`	`}`
`320`	`341`
	`342`	+/** `System.Windows.Markup.XamlReader.LoadAsync` method */
`321`	`343`	`class XamlReaderLoadAsyncMethod extends Method, UnsafeDeserializer {`
`322`	`344`	`XamlReaderLoadAsyncMethod() {`
`323`	`345`	`this.getDeclaringType() instanceof XamlReaderClass and`
`@@ -330,13 +352,15 @@ private class ProxyObjectClass extends Class {`
`330`	`352`	`ProxyObjectClass() { this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject") }`
`331`	`353`	`}`
`332`	`354`
	`355`	+/** `Microsoft.Web.Design.Remote.ProxyObject.DecodeValue` method */
`333`	`356`	`class ProxyObjectDecodeValueMethod extends Method, UnsafeDeserializer {`
`334`	`357`	`ProxyObjectDecodeValueMethod() {`
`335`	`358`	`this.getDeclaringType() instanceof ProxyObjectClass and`
`336`	`359`	`this.hasName("DecodeValue")`
`337`	`360`	`}`
`338`	`361`	`}`
`339`	`362`
	`363`	+/** `Microsoft.Web.Design.Remote.ProxyObject.DecodeSerializedObject` method */
`340`	`364`	`class ProxyObjectDecodeSerializedObjectMethod extends Method, UnsafeDeserializer {`
`341`	`365`	`ProxyObjectDecodeSerializedObjectMethod() {`
`342`	`366`	`this.getDeclaringType() instanceof ProxyObjectClass and`
`@@ -349,6 +373,7 @@ private class JaysonConverterClass extends Class {`
`349`	`373`	`JaysonConverterClass() { this.hasQualifiedName("Sweet.Jayson.JaysonConverter") }`
`350`	`374`	`}`
`351`	`375`
	`376`	+/** `Sweet.Jayson.JaysonConverter.ToObject` method */
`352`	`377`	`class JaysonConverterToObjectMethod extends Method, UnsafeDeserializer {`
`353`	`378`	`JaysonConverterToObjectMethod() {`
`354`	`379`	`this.getDeclaringType() instanceof JaysonConverterClass and`
`@@ -364,6 +389,7 @@ private class ServiceStackTextJsonSerializerClass extends Class {`
`364`	`389`	`}`
`365`	`390`	`}`
`366`	`391`
	`392`	+/** `ServiceStack.Text.JsonSerializer.DeserializeFromString` method */
`367`	`393`	`class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`368`	`394`	`ServiceStackTextJsonSerializerDeserializeFromStringMethod() {`
`369`	`395`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`@@ -372,6 +398,7 @@ class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method,`
`372`	`398`	`}`
`373`	`399`	`}`
`374`	`400`
	`401`	+/** `ServiceStack.Text.JsonSerializer.DeserializeFromReader` method */
`375`	`402`	`class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`376`	`403`	`ServiceStackTextJsonSerializerDeserializeFromReaderMethod() {`
`377`	`404`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`@@ -380,6 +407,7 @@ class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method,`
`380`	`407`	`}`
`381`	`408`	`}`
`382`	`409`
	`410`	+/** `ServiceStack.Text.JsonSerializer.DeserializeFromStream` method */
`383`	`411`	`class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`384`	`412`	`ServiceStackTextJsonSerializerDeserializeFromStreamMethod() {`
`385`	`413`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`@@ -395,6 +423,7 @@ private class ServiceStackTextTypeSerializerClass extends Class {`
`395`	`423`	`}`
`396`	`424`	`}`
`397`	`425`
	`426`	+/** `ServiceStack.Text.TypeSerializer.DeserializeFromString` method */
`398`	`427`	`class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`399`	`428`	`ServiceStackTextTypeSerializerDeserializeFromStringMethod() {`
`400`	`429`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`@@ -403,6 +432,7 @@ class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method,`
`403`	`432`	`}`
`404`	`433`	`}`
`405`	`434`
	`435`	+/** `ServiceStack.Text.TypeSerializer.DeserializeFromReader` method */
`406`	`436`	`class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`407`	`437`	`ServiceStackTextTypeSerializerDeserializeFromReaderMethod() {`
`408`	`438`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`@@ -411,6 +441,7 @@ class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method,`
`411`	`441`	`}`
`412`	`442`	`}`
`413`	`443`
	`444`	+/** `ServiceStack.Text.TypeSerializer.DeserializeFromStream` method */
`414`	`445`	`class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`415`	`446`	`ServiceStackTextTypeSerializerDeserializeFromStreamMethod() {`
`416`	`447`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`@@ -424,6 +455,7 @@ private class ServiceStackTextCsvSerializerClass extends Class {`
`424`	`455`	`ServiceStackTextCsvSerializerClass() { this.hasQualifiedName("ServiceStack.Text.CsvSerializer") }`
`425`	`456`	`}`
`426`	`457`
	`458`	+/** `ServiceStack.Text.CsvSerializer.DeserializeFromString` method */
`427`	`459`	`class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`428`	`460`	`ServiceStackTextCsvSerializerDeserializeFromStringMethod() {`
`429`	`461`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`@@ -432,6 +464,7 @@ class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, U`
`432`	`464`	`}`
`433`	`465`	`}`
`434`	`466`
	`467`	+/** `ServiceStack.Text.TypeSeriCsvSerializeralizer.DeserializeFromReader` method */
`435`	`468`	`class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`436`	`469`	`ServiceStackTextCsvSerializerDeserializeFromReaderMethod() {`
`437`	`470`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`@@ -440,6 +473,7 @@ class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, U`
`440`	`473`	`}`
`441`	`474`	`}`
`442`	`475`
	`476`	+/** `ServiceStack.Text.CsvSerializer.DeserializeFromStream` method */
`443`	`477`	`class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`444`	`478`	`ServiceStackTextCsvSerializerDeserializeFromStreamMethod() {`
`445`	`479`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`@@ -453,6 +487,7 @@ private class ServiceStackTextXmlSerializerClass extends Class {`
`453`	`487`	`ServiceStackTextXmlSerializerClass() { this.hasQualifiedName("ServiceStack.Text.XmlSerializer") }`
`454`	`488`	`}`
`455`	`489`
	`490`	+/** `ServiceStack.Text.XmlSerializer.DeserializeFromString` method */
`456`	`491`	`class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`457`	`492`	`ServiceStackTextXmlSerializerDeserializeFromStringMethod() {`
`458`	`493`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`
`@@ -461,6 +496,7 @@ class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, U`
`461`	`496`	`}`
`462`	`497`	`}`
`463`	`498`
	`499`	+/** `ServiceStack.Text.XmlSerializer.DeserializeFromReader` method */
`464`	`500`	`class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`465`	`501`	`ServiceStackTextXmlSerializerDeserializeFromReaderMethod() {`
`466`	`502`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`
`@@ -469,6 +505,7 @@ class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, U`
`469`	`505`	`}`
`470`	`506`	`}`
`471`	`507`
	`508`	+/** `ServiceStack.Text.XmlSerializer.DeserializeFromStream` method */
`472`	`509`	`class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`473`	`510`	`ServiceStackTextXmlSerializerDeserializeFromStreamMethod() {`
`474`	`511`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`