reintroduce UnsafeDeserializer

edvraa · edvraa · commit a412581556d0 · 2021-04-15T22:32:42.000+03:00
diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
@@ -5,6 +5,9 @@
 
 import csharp
 
+/** An unsafe deserializer. */
+abstract class UnsafeDeserializer extends Callable { }
+
 /** Unsafe deserialization calls. */
 class UnsafeDeserializerCallable extends Callable {
   UnsafeDeserializerCallable() {
@@ -140,7 +143,7 @@ class WeakTypeDeserializer extends Class {
  * An unsafe deserializer method that calls any unsafe deserializer on any of
  * the parameters.
  */
-class WrapperDeserializer extends UnsafeDeserializerCallable {
+class WrapperDeserializer extends UnsafeDeserializerCallable, UnsafeDeserializer {
   WrapperDeserializer() {
     exists(Call call |
       call.getEnclosingCallable() = this and
@@ -157,21 +160,21 @@ class BinaryFormatterClass extends Class {
   }
 }
 
-class BinaryFormatterDeserializeMethod extends Method {
+class BinaryFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   BinaryFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
     this.hasName("Deserialize")
   }
 }
 
-class BinaryFormatterUnsafeDeserializeMethod extends Method {
+class BinaryFormatterUnsafeDeserializeMethod extends Method, UnsafeDeserializer {
   BinaryFormatterUnsafeDeserializeMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
     this.hasName("UnsafeDeserialize")
   }
 }
 
-class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method {
+class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method, UnsafeDeserializer {
   BinaryFormatterUnsafeDeserializeMethodResponseMethod() {
     this.getDeclaringType() instanceof BinaryFormatterClass and
     this.hasName("UnsafeDeserializeMethodResponse")
@@ -185,7 +188,7 @@ class SoapFormatterClass extends Class {
   }
 }
 
-class SoapFormatterDeserializeMethod extends Method {
+class SoapFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   SoapFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof SoapFormatterClass and
     this.hasName("Deserialize")
@@ -197,7 +200,7 @@ class ObjectStateFormatterClass extends Class {
   ObjectStateFormatterClass() { this.hasQualifiedName("System.Web.UI.ObjectStateFormatter") }
 }
 
-class ObjectStateFormatterDeserializeMethod extends Method {
+class ObjectStateFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   ObjectStateFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof ObjectStateFormatterClass and
     this.hasName("Deserialize")
@@ -211,14 +214,14 @@ class NetDataContractSerializerClass extends Class {
   }
 }
 
-class NetDataContractSerializerDeserializeMethod extends Method {
+class NetDataContractSerializerDeserializeMethod extends Method, UnsafeDeserializer {
   NetDataContractSerializerDeserializeMethod() {
     this.getDeclaringType() instanceof NetDataContractSerializerClass and
     this.hasName("Deserialize")
   }
 }
 
-class NetDataContractSerializerReadObjectMethod extends Method {
+class NetDataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   NetDataContractSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof NetDataContractSerializerClass and
     this.hasName("ReadObject")
@@ -232,7 +235,7 @@ class DataContractJsonSerializerClass extends Class {
   }
 }
 
-class DataContractJsonSerializerReadObjectMethod extends Method {
+class DataContractJsonSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   DataContractJsonSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof DataContractJsonSerializerClass and
     this.hasName("ReadObject")
@@ -246,14 +249,14 @@ class JavaScriptSerializerClass extends Class {
   }
 }
 
-class JavaScriptSerializerClassDeserializeMethod extends Method {
+class JavaScriptSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
   JavaScriptSerializerClassDeserializeMethod() {
     this.getDeclaringType() instanceof JavaScriptSerializerClass and
     this.hasName("Deserialize")
   }
 }
 
-class JavaScriptSerializerClassDeserializeObjectMethod extends Method {
+class JavaScriptSerializerClassDeserializeObjectMethod extends Method, UnsafeDeserializer {
   JavaScriptSerializerClassDeserializeObjectMethod() {
     this.getDeclaringType() instanceof JavaScriptSerializerClass and
     this.hasName("DeserializeObject")
@@ -267,7 +270,7 @@ class XmlObjectSerializerClass extends Class {
   }
 }
 
-class XmlObjectSerializerReadObjectMethod extends Method {
+class XmlObjectSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   XmlObjectSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof XmlObjectSerializerClass and
     this.hasName("ReadObject")
@@ -279,7 +282,7 @@ class XmlSerializerClass extends Class {
   XmlSerializerClass() { this.hasQualifiedName("System.Xml.Serialization.XmlSerializer") }
 }
 
-class XmlSerializerDeserializeMethod extends Method {
+class XmlSerializerDeserializeMethod extends Method, UnsafeDeserializer {
   XmlSerializerDeserializeMethod() {
     this.getDeclaringType() instanceof XmlSerializerClass and
     this.hasName("Deserialize")
@@ -293,7 +296,7 @@ class DataContractSerializerClass extends Class {
   }
 }
 
-class DataContractSerializerReadObjectMethod extends Method {
+class DataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {
   DataContractSerializerReadObjectMethod() {
     this.getDeclaringType() instanceof DataContractSerializerClass and
     this.hasName("ReadObject")
@@ -305,7 +308,7 @@ class XmlMessageFormatterClass extends Class {
   XmlMessageFormatterClass() { this.hasQualifiedName("System.Messaging.XmlMessageFormatter") }
 }
 
-class XmlMessageFormatterReadMethod extends Method {
+class XmlMessageFormatterReadMethod extends Method, UnsafeDeserializer {
   XmlMessageFormatterReadMethod() {
     this.getDeclaringType() instanceof XmlMessageFormatterClass and
     this.hasName("Read")
@@ -317,7 +320,7 @@ class LosFormatterClass extends Class {
   LosFormatterClass() { this.hasQualifiedName("System.Web.UI.LosFormatter") }
 }
 
-class LosFormatterDeserializeMethod extends Method {
+class LosFormatterDeserializeMethod extends Method, UnsafeDeserializer {
   LosFormatterDeserializeMethod() {
     this.getDeclaringType() instanceof LosFormatterClass and
     this.hasName("Deserialize")
@@ -329,7 +332,7 @@ class FastJsonClass extends Class {
   FastJsonClass() { this.hasQualifiedName("fastJSON.JSON") }
 }
 
-class FastJsonClassToObjectMethod extends Method {
+class FastJsonClassToObjectMethod extends Method, UnsafeDeserializer {
   FastJsonClassToObjectMethod() {
     this.getDeclaringType() instanceof FastJsonClass and
     this.hasName("ToObject") and
@@ -342,7 +345,7 @@ class ActivityClass extends Class {
   ActivityClass() { this.hasQualifiedName("System.Workflow.ComponentModel.Activity") }
 }
 
-class ActivityLoadMethod extends Method {
+class ActivityLoadMethod extends Method, UnsafeDeserializer {
   ActivityLoadMethod() {
     this.getDeclaringType() instanceof ActivityClass and
     this.hasName("Load")
@@ -354,7 +357,7 @@ class ResourceReaderClass extends Class {
   ResourceReaderClass() { this.hasQualifiedName("System.Resources.ResourceReader") }
 }
 
-class ResourceReaderConstructor extends Constructor {
+class ResourceReaderConstructor extends Constructor, UnsafeDeserializer {
   ResourceReaderConstructor() {
     this.getDeclaringType() instanceof ResourceReaderClass and
     this.hasName("ResourceReader")
@@ -366,7 +369,7 @@ class BinaryMessageFormatterClass extends Class {
   BinaryMessageFormatterClass() { this.hasQualifiedName("System.Messaging.BinaryMessageFormatter") }
 }
 
-class BinaryMessageFormatterReadMethod extends Method {
+class BinaryMessageFormatterReadMethod extends Method, UnsafeDeserializer {
   BinaryMessageFormatterReadMethod() {
     this.getDeclaringType() instanceof BinaryMessageFormatterClass and
     this.hasName("Read")
@@ -378,23 +381,23 @@ class XamlReaderClass extends Class {
   XamlReaderClass() { this.hasQualifiedName("System.Windows.Markup.XamlReader") }
 }
 
-class XamlReaderParseMethod extends Method {
+class XamlReaderParseMethod extends Method, UnsafeDeserializer {
   XamlReaderParseMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
     this.hasName("Parse") and
     this.isStatic()
   }
 }
 
-class XamlReaderLoadMethod extends Method {
+class XamlReaderLoadMethod extends Method, UnsafeDeserializer {
   XamlReaderLoadMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
     this.hasName("Load") and
     this.isStatic()
   }
 }
 
-class XamlReaderLoadAsyncMethod extends Method {
+class XamlReaderLoadAsyncMethod extends Method, UnsafeDeserializer {
   XamlReaderLoadAsyncMethod() {
     this.getDeclaringType() instanceof XamlReaderClass and
     this.hasName("LoadAsync")
@@ -406,14 +409,14 @@ class ProxyObjectClass extends Class {
   ProxyObjectClass() { this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject") }
 }
 
-class ProxyObjectDecodeValueMethod extends Method {
+class ProxyObjectDecodeValueMethod extends Method, UnsafeDeserializer {
   ProxyObjectDecodeValueMethod() {
     this.getDeclaringType() instanceof ProxyObjectClass and
     this.hasName("DecodeValue")
   }
 }
 
-class ProxyObjectDecodeSerializedObjectMethod extends Method {
+class ProxyObjectDecodeSerializedObjectMethod extends Method, UnsafeDeserializer {
   ProxyObjectDecodeSerializedObjectMethod() {
     this.getDeclaringType() instanceof ProxyObjectClass and
     this.hasName("DecodeSerializedObject")
@@ -425,7 +428,7 @@ class JaysonConverterClass extends Class {
   JaysonConverterClass() { this.hasQualifiedName("Sweet.Jayson.JaysonConverter") }
 }
 
-class JaysonConverterToObjectMethod extends Method {
+class JaysonConverterToObjectMethod extends Method, UnsafeDeserializer {
   JaysonConverterToObjectMethod() {
     this.getDeclaringType() instanceof JaysonConverterClass and
     this.hasName("ToObject") and
@@ -440,23 +443,23 @@ class ServiceStackTextJsonSerializerClass extends Class {
   }
 }
 
-class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method {
+class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
     this.hasName("DeserializeFromString") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method {
+class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
     this.hasName("DeserializeFromReader") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method {
+class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextJsonSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and
     this.hasName("DeserializeFromStream") and
@@ -471,23 +474,23 @@ class ServiceStackTextTypeSerializerClass extends Class {
   }
 }
 
-class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method {
+class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
     this.hasName("DeserializeFromString") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method {
+class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
     this.hasName("DeserializeFromReader") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method {
+class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextTypeSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and
     this.hasName("DeserializeFromStream") and
@@ -500,23 +503,23 @@ class ServiceStackTextCsvSerializerClass extends Class {
   ServiceStackTextCsvSerializerClass() { this.hasQualifiedName("ServiceStack.Text.CsvSerializer") }
 }
 
-class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method {
+class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
     this.hasName("DeserializeFromString") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method {
+class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
     this.hasName("DeserializeFromReader") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method {
+class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextCsvSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and
     this.hasName("DeserializeFromStream") and
@@ -529,23 +532,23 @@ class ServiceStackTextXmlSerializerClass extends Class {
   ServiceStackTextXmlSerializerClass() { this.hasQualifiedName("ServiceStack.Text.XmlSerializer") }
 }
 
-class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method {
+class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromStringMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
     this.hasName("DeserializeFromString") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method {
+class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromReaderMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
     this.hasName("DeserializeFromReader") and
     this.isStatic()
   }
 }
 
-class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method {
+class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {
   ServiceStackTextXmlSerializerDeserializeFromStreamMethod() {
     this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and
     this.hasName("DeserializeFromStream") and

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,9 @@`
`5`	`5`
`6`	`6`	`import csharp`
`7`	`7`
	`8`	`+/** An unsafe deserializer. */`
	`9`	`+abstract class UnsafeDeserializer extends Callable { }`
	`10`	`+`
`8`	`11`	`/** Unsafe deserialization calls. */`
`9`	`12`	`class UnsafeDeserializerCallable extends Callable {`
`10`	`13`	`UnsafeDeserializerCallable() {`
`@@ -140,7 +143,7 @@ class WeakTypeDeserializer extends Class {`
`140`	`143`	`* An unsafe deserializer method that calls any unsafe deserializer on any of`
`141`	`144`	`* the parameters.`
`142`	`145`	`*/`
`143`		`-class WrapperDeserializer extends UnsafeDeserializerCallable {`
	`146`	`+class WrapperDeserializer extends UnsafeDeserializerCallable, UnsafeDeserializer {`
`144`	`147`	`WrapperDeserializer() {`
`145`	`148`	`exists(Call call \|`
`146`	`149`	`call.getEnclosingCallable() = this and`
`@@ -157,21 +160,21 @@ class BinaryFormatterClass extends Class {`
`157`	`160`	`}`
`158`	`161`	`}`
`159`	`162`
`160`		`-class BinaryFormatterDeserializeMethod extends Method {`
	`163`	`+class BinaryFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`161`	`164`	`BinaryFormatterDeserializeMethod() {`
`162`	`165`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`163`	`166`	`this.hasName("Deserialize")`
`164`	`167`	`}`
`165`	`168`	`}`
`166`	`169`
`167`		`-class BinaryFormatterUnsafeDeserializeMethod extends Method {`
	`170`	`+class BinaryFormatterUnsafeDeserializeMethod extends Method, UnsafeDeserializer {`
`168`	`171`	`BinaryFormatterUnsafeDeserializeMethod() {`
`169`	`172`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`170`	`173`	`this.hasName("UnsafeDeserialize")`
`171`	`174`	`}`
`172`	`175`	`}`
`173`	`176`
`174`		`-class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method {`
	`177`	`+class BinaryFormatterUnsafeDeserializeMethodResponseMethod extends Method, UnsafeDeserializer {`
`175`	`178`	`BinaryFormatterUnsafeDeserializeMethodResponseMethod() {`
`176`	`179`	`this.getDeclaringType() instanceof BinaryFormatterClass and`
`177`	`180`	`this.hasName("UnsafeDeserializeMethodResponse")`
`@@ -185,7 +188,7 @@ class SoapFormatterClass extends Class {`
`185`	`188`	`}`
`186`	`189`	`}`
`187`	`190`
`188`		`-class SoapFormatterDeserializeMethod extends Method {`
	`191`	`+class SoapFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`189`	`192`	`SoapFormatterDeserializeMethod() {`
`190`	`193`	`this.getDeclaringType() instanceof SoapFormatterClass and`
`191`	`194`	`this.hasName("Deserialize")`
`@@ -197,7 +200,7 @@ class ObjectStateFormatterClass extends Class {`
`197`	`200`	`ObjectStateFormatterClass() { this.hasQualifiedName("System.Web.UI.ObjectStateFormatter") }`
`198`	`201`	`}`
`199`	`202`
`200`		`-class ObjectStateFormatterDeserializeMethod extends Method {`
	`203`	`+class ObjectStateFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`201`	`204`	`ObjectStateFormatterDeserializeMethod() {`
`202`	`205`	`this.getDeclaringType() instanceof ObjectStateFormatterClass and`
`203`	`206`	`this.hasName("Deserialize")`
`@@ -211,14 +214,14 @@ class NetDataContractSerializerClass extends Class {`
`211`	`214`	`}`
`212`	`215`	`}`
`213`	`216`
`214`		`-class NetDataContractSerializerDeserializeMethod extends Method {`
	`217`	`+class NetDataContractSerializerDeserializeMethod extends Method, UnsafeDeserializer {`
`215`	`218`	`NetDataContractSerializerDeserializeMethod() {`
`216`	`219`	`this.getDeclaringType() instanceof NetDataContractSerializerClass and`
`217`	`220`	`this.hasName("Deserialize")`
`218`	`221`	`}`
`219`	`222`	`}`
`220`	`223`
`221`		`-class NetDataContractSerializerReadObjectMethod extends Method {`
	`224`	`+class NetDataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`222`	`225`	`NetDataContractSerializerReadObjectMethod() {`
`223`	`226`	`this.getDeclaringType() instanceof NetDataContractSerializerClass and`
`224`	`227`	`this.hasName("ReadObject")`
`@@ -232,7 +235,7 @@ class DataContractJsonSerializerClass extends Class {`
`232`	`235`	`}`
`233`	`236`	`}`
`234`	`237`
`235`		`-class DataContractJsonSerializerReadObjectMethod extends Method {`
	`238`	`+class DataContractJsonSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`236`	`239`	`DataContractJsonSerializerReadObjectMethod() {`
`237`	`240`	`this.getDeclaringType() instanceof DataContractJsonSerializerClass and`
`238`	`241`	`this.hasName("ReadObject")`
`@@ -246,14 +249,14 @@ class JavaScriptSerializerClass extends Class {`
`246`	`249`	`}`
`247`	`250`	`}`
`248`	`251`
`249`		`-class JavaScriptSerializerClassDeserializeMethod extends Method {`
	`252`	`+class JavaScriptSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {`
`250`	`253`	`JavaScriptSerializerClassDeserializeMethod() {`
`251`	`254`	`this.getDeclaringType() instanceof JavaScriptSerializerClass and`
`252`	`255`	`this.hasName("Deserialize")`
`253`	`256`	`}`
`254`	`257`	`}`
`255`	`258`
`256`		`-class JavaScriptSerializerClassDeserializeObjectMethod extends Method {`
	`259`	`+class JavaScriptSerializerClassDeserializeObjectMethod extends Method, UnsafeDeserializer {`
`257`	`260`	`JavaScriptSerializerClassDeserializeObjectMethod() {`
`258`	`261`	`this.getDeclaringType() instanceof JavaScriptSerializerClass and`
`259`	`262`	`this.hasName("DeserializeObject")`
`@@ -267,7 +270,7 @@ class XmlObjectSerializerClass extends Class {`
`267`	`270`	`}`
`268`	`271`	`}`
`269`	`272`
`270`		`-class XmlObjectSerializerReadObjectMethod extends Method {`
	`273`	`+class XmlObjectSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`271`	`274`	`XmlObjectSerializerReadObjectMethod() {`
`272`	`275`	`this.getDeclaringType() instanceof XmlObjectSerializerClass and`
`273`	`276`	`this.hasName("ReadObject")`
`@@ -279,7 +282,7 @@ class XmlSerializerClass extends Class {`
`279`	`282`	`XmlSerializerClass() { this.hasQualifiedName("System.Xml.Serialization.XmlSerializer") }`
`280`	`283`	`}`
`281`	`284`
`282`		`-class XmlSerializerDeserializeMethod extends Method {`
	`285`	`+class XmlSerializerDeserializeMethod extends Method, UnsafeDeserializer {`
`283`	`286`	`XmlSerializerDeserializeMethod() {`
`284`	`287`	`this.getDeclaringType() instanceof XmlSerializerClass and`
`285`	`288`	`this.hasName("Deserialize")`
`@@ -293,7 +296,7 @@ class DataContractSerializerClass extends Class {`
`293`	`296`	`}`
`294`	`297`	`}`
`295`	`298`
`296`		`-class DataContractSerializerReadObjectMethod extends Method {`
	`299`	`+class DataContractSerializerReadObjectMethod extends Method, UnsafeDeserializer {`
`297`	`300`	`DataContractSerializerReadObjectMethod() {`
`298`	`301`	`this.getDeclaringType() instanceof DataContractSerializerClass and`
`299`	`302`	`this.hasName("ReadObject")`
`@@ -305,7 +308,7 @@ class XmlMessageFormatterClass extends Class {`
`305`	`308`	`XmlMessageFormatterClass() { this.hasQualifiedName("System.Messaging.XmlMessageFormatter") }`
`306`	`309`	`}`
`307`	`310`
`308`		`-class XmlMessageFormatterReadMethod extends Method {`
	`311`	`+class XmlMessageFormatterReadMethod extends Method, UnsafeDeserializer {`
`309`	`312`	`XmlMessageFormatterReadMethod() {`
`310`	`313`	`this.getDeclaringType() instanceof XmlMessageFormatterClass and`
`311`	`314`	`this.hasName("Read")`
`@@ -317,7 +320,7 @@ class LosFormatterClass extends Class {`
`317`	`320`	`LosFormatterClass() { this.hasQualifiedName("System.Web.UI.LosFormatter") }`
`318`	`321`	`}`
`319`	`322`
`320`		`-class LosFormatterDeserializeMethod extends Method {`
	`323`	`+class LosFormatterDeserializeMethod extends Method, UnsafeDeserializer {`
`321`	`324`	`LosFormatterDeserializeMethod() {`
`322`	`325`	`this.getDeclaringType() instanceof LosFormatterClass and`
`323`	`326`	`this.hasName("Deserialize")`
`@@ -329,7 +332,7 @@ class FastJsonClass extends Class {`
`329`	`332`	`FastJsonClass() { this.hasQualifiedName("fastJSON.JSON") }`
`330`	`333`	`}`
`331`	`334`
`332`		`-class FastJsonClassToObjectMethod extends Method {`
	`335`	`+class FastJsonClassToObjectMethod extends Method, UnsafeDeserializer {`
`333`	`336`	`FastJsonClassToObjectMethod() {`
`334`	`337`	`this.getDeclaringType() instanceof FastJsonClass and`
`335`	`338`	`this.hasName("ToObject") and`
`@@ -342,7 +345,7 @@ class ActivityClass extends Class {`
`342`	`345`	`ActivityClass() { this.hasQualifiedName("System.Workflow.ComponentModel.Activity") }`
`343`	`346`	`}`
`344`	`347`
`345`		`-class ActivityLoadMethod extends Method {`
	`348`	`+class ActivityLoadMethod extends Method, UnsafeDeserializer {`
`346`	`349`	`ActivityLoadMethod() {`
`347`	`350`	`this.getDeclaringType() instanceof ActivityClass and`
`348`	`351`	`this.hasName("Load")`
`@@ -354,7 +357,7 @@ class ResourceReaderClass extends Class {`
`354`	`357`	`ResourceReaderClass() { this.hasQualifiedName("System.Resources.ResourceReader") }`
`355`	`358`	`}`
`356`	`359`
`357`		`-class ResourceReaderConstructor extends Constructor {`
	`360`	`+class ResourceReaderConstructor extends Constructor, UnsafeDeserializer {`
`358`	`361`	`ResourceReaderConstructor() {`
`359`	`362`	`this.getDeclaringType() instanceof ResourceReaderClass and`
`360`	`363`	`this.hasName("ResourceReader")`
`@@ -366,7 +369,7 @@ class BinaryMessageFormatterClass extends Class {`
`366`	`369`	`BinaryMessageFormatterClass() { this.hasQualifiedName("System.Messaging.BinaryMessageFormatter") }`
`367`	`370`	`}`
`368`	`371`
`369`		`-class BinaryMessageFormatterReadMethod extends Method {`
	`372`	`+class BinaryMessageFormatterReadMethod extends Method, UnsafeDeserializer {`
`370`	`373`	`BinaryMessageFormatterReadMethod() {`
`371`	`374`	`this.getDeclaringType() instanceof BinaryMessageFormatterClass and`
`372`	`375`	`this.hasName("Read")`
`@@ -378,23 +381,23 @@ class XamlReaderClass extends Class {`
`378`	`381`	`XamlReaderClass() { this.hasQualifiedName("System.Windows.Markup.XamlReader") }`
`379`	`382`	`}`
`380`	`383`
`381`		`-class XamlReaderParseMethod extends Method {`
	`384`	`+class XamlReaderParseMethod extends Method, UnsafeDeserializer {`
`382`	`385`	`XamlReaderParseMethod() {`
`383`	`386`	`this.getDeclaringType() instanceof XamlReaderClass and`
`384`	`387`	`this.hasName("Parse") and`
`385`	`388`	`this.isStatic()`
`386`	`389`	`}`
`387`	`390`	`}`
`388`	`391`
`389`		`-class XamlReaderLoadMethod extends Method {`
	`392`	`+class XamlReaderLoadMethod extends Method, UnsafeDeserializer {`
`390`	`393`	`XamlReaderLoadMethod() {`
`391`	`394`	`this.getDeclaringType() instanceof XamlReaderClass and`
`392`	`395`	`this.hasName("Load") and`
`393`	`396`	`this.isStatic()`
`394`	`397`	`}`
`395`	`398`	`}`
`396`	`399`
`397`		`-class XamlReaderLoadAsyncMethod extends Method {`
	`400`	`+class XamlReaderLoadAsyncMethod extends Method, UnsafeDeserializer {`
`398`	`401`	`XamlReaderLoadAsyncMethod() {`
`399`	`402`	`this.getDeclaringType() instanceof XamlReaderClass and`
`400`	`403`	`this.hasName("LoadAsync")`
`@@ -406,14 +409,14 @@ class ProxyObjectClass extends Class {`
`406`	`409`	`ProxyObjectClass() { this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject") }`
`407`	`410`	`}`
`408`	`411`
`409`		`-class ProxyObjectDecodeValueMethod extends Method {`
	`412`	`+class ProxyObjectDecodeValueMethod extends Method, UnsafeDeserializer {`
`410`	`413`	`ProxyObjectDecodeValueMethod() {`
`411`	`414`	`this.getDeclaringType() instanceof ProxyObjectClass and`
`412`	`415`	`this.hasName("DecodeValue")`
`413`	`416`	`}`
`414`	`417`	`}`
`415`	`418`
`416`		`-class ProxyObjectDecodeSerializedObjectMethod extends Method {`
	`419`	`+class ProxyObjectDecodeSerializedObjectMethod extends Method, UnsafeDeserializer {`
`417`	`420`	`ProxyObjectDecodeSerializedObjectMethod() {`
`418`	`421`	`this.getDeclaringType() instanceof ProxyObjectClass and`
`419`	`422`	`this.hasName("DecodeSerializedObject")`
`@@ -425,7 +428,7 @@ class JaysonConverterClass extends Class {`
`425`	`428`	`JaysonConverterClass() { this.hasQualifiedName("Sweet.Jayson.JaysonConverter") }`
`426`	`429`	`}`
`427`	`430`
`428`		`-class JaysonConverterToObjectMethod extends Method {`
	`431`	`+class JaysonConverterToObjectMethod extends Method, UnsafeDeserializer {`
`429`	`432`	`JaysonConverterToObjectMethod() {`
`430`	`433`	`this.getDeclaringType() instanceof JaysonConverterClass and`
`431`	`434`	`this.hasName("ToObject") and`
`@@ -440,23 +443,23 @@ class ServiceStackTextJsonSerializerClass extends Class {`
`440`	`443`	`}`
`441`	`444`	`}`
`442`	`445`
`443`		`-class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method {`
	`446`	`+class ServiceStackTextJsonSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`444`	`447`	`ServiceStackTextJsonSerializerDeserializeFromStringMethod() {`
`445`	`448`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`446`	`449`	`this.hasName("DeserializeFromString") and`
`447`	`450`	`this.isStatic()`
`448`	`451`	`}`
`449`	`452`	`}`
`450`	`453`
`451`		`-class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method {`
	`454`	`+class ServiceStackTextJsonSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`452`	`455`	`ServiceStackTextJsonSerializerDeserializeFromReaderMethod() {`
`453`	`456`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`454`	`457`	`this.hasName("DeserializeFromReader") and`
`455`	`458`	`this.isStatic()`
`456`	`459`	`}`
`457`	`460`	`}`
`458`	`461`
`459`		`-class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method {`
	`462`	`+class ServiceStackTextJsonSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`460`	`463`	`ServiceStackTextJsonSerializerDeserializeFromStreamMethod() {`
`461`	`464`	`this.getDeclaringType() instanceof ServiceStackTextJsonSerializerClass and`
`462`	`465`	`this.hasName("DeserializeFromStream") and`
`@@ -471,23 +474,23 @@ class ServiceStackTextTypeSerializerClass extends Class {`
`471`	`474`	`}`
`472`	`475`	`}`
`473`	`476`
`474`		`-class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method {`
	`477`	`+class ServiceStackTextTypeSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`475`	`478`	`ServiceStackTextTypeSerializerDeserializeFromStringMethod() {`
`476`	`479`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`477`	`480`	`this.hasName("DeserializeFromString") and`
`478`	`481`	`this.isStatic()`
`479`	`482`	`}`
`480`	`483`	`}`
`481`	`484`
`482`		`-class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method {`
	`485`	`+class ServiceStackTextTypeSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`483`	`486`	`ServiceStackTextTypeSerializerDeserializeFromReaderMethod() {`
`484`	`487`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`485`	`488`	`this.hasName("DeserializeFromReader") and`
`486`	`489`	`this.isStatic()`
`487`	`490`	`}`
`488`	`491`	`}`
`489`	`492`
`490`		`-class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method {`
	`493`	`+class ServiceStackTextTypeSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`491`	`494`	`ServiceStackTextTypeSerializerDeserializeFromStreamMethod() {`
`492`	`495`	`this.getDeclaringType() instanceof ServiceStackTextTypeSerializerClass and`
`493`	`496`	`this.hasName("DeserializeFromStream") and`
`@@ -500,23 +503,23 @@ class ServiceStackTextCsvSerializerClass extends Class {`
`500`	`503`	`ServiceStackTextCsvSerializerClass() { this.hasQualifiedName("ServiceStack.Text.CsvSerializer") }`
`501`	`504`	`}`
`502`	`505`
`503`		`-class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method {`
	`506`	`+class ServiceStackTextCsvSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`504`	`507`	`ServiceStackTextCsvSerializerDeserializeFromStringMethod() {`
`505`	`508`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`506`	`509`	`this.hasName("DeserializeFromString") and`
`507`	`510`	`this.isStatic()`
`508`	`511`	`}`
`509`	`512`	`}`
`510`	`513`
`511`		`-class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method {`
	`514`	`+class ServiceStackTextCsvSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`512`	`515`	`ServiceStackTextCsvSerializerDeserializeFromReaderMethod() {`
`513`	`516`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`514`	`517`	`this.hasName("DeserializeFromReader") and`
`515`	`518`	`this.isStatic()`
`516`	`519`	`}`
`517`	`520`	`}`
`518`	`521`
`519`		`-class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method {`
	`522`	`+class ServiceStackTextCsvSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`520`	`523`	`ServiceStackTextCsvSerializerDeserializeFromStreamMethod() {`
`521`	`524`	`this.getDeclaringType() instanceof ServiceStackTextCsvSerializerClass and`
`522`	`525`	`this.hasName("DeserializeFromStream") and`
`@@ -529,23 +532,23 @@ class ServiceStackTextXmlSerializerClass extends Class {`
`529`	`532`	`ServiceStackTextXmlSerializerClass() { this.hasQualifiedName("ServiceStack.Text.XmlSerializer") }`
`530`	`533`	`}`
`531`	`534`
`532`		`-class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method {`
	`535`	`+class ServiceStackTextXmlSerializerDeserializeFromStringMethod extends Method, UnsafeDeserializer {`
`533`	`536`	`ServiceStackTextXmlSerializerDeserializeFromStringMethod() {`
`534`	`537`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`
`535`	`538`	`this.hasName("DeserializeFromString") and`
`536`	`539`	`this.isStatic()`
`537`	`540`	`}`
`538`	`541`	`}`
`539`	`542`
`540`		`-class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method {`
	`543`	`+class ServiceStackTextXmlSerializerDeserializeFromReaderMethod extends Method, UnsafeDeserializer {`
`541`	`544`	`ServiceStackTextXmlSerializerDeserializeFromReaderMethod() {`
`542`	`545`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`
`543`	`546`	`this.hasName("DeserializeFromReader") and`
`544`	`547`	`this.isStatic()`
`545`	`548`	`}`
`546`	`549`	`}`
`547`	`550`
`548`		`-class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method {`
	`551`	`+class ServiceStackTextXmlSerializerDeserializeFromStreamMethod extends Method, UnsafeDeserializer {`
`549`	`552`	`ServiceStackTextXmlSerializerDeserializeFromStreamMethod() {`
`550`	`553`	`this.getDeclaringType() instanceof ServiceStackTextXmlSerializerClass and`
`551`	`554`	`this.hasName("DeserializeFromStream") and`