YamlDotNet

Author: edvraa

csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll

@@ -812,4 +812,18 @@ module UnsafeDeserialization {
       )
     }
   }
+
+  /** YamlDotNet */
+  private class YamlDotNetDeserializerDeserializeMethodSink extends ConstructorOrStaticMethodSink {
+    YamlDotNetDeserializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          not mc.getArgument(0).hasValue() and
+          m instanceof YamlDotNetDeserializerClasseserializeMethod
+        ) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
 }

csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll

@@ -65,6 +65,8 @@ class WeakTypeDeserializer extends Class {
     this instanceof ServiceStackTextXmlSerializerClass
     or
     this instanceof SharpSerializerClass
+    or
+    this instanceof YamlDotNetDeserializerClass
   }
 }
 
@@ -639,3 +641,19 @@ class SharpSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
     this.hasName("Deserialize")
   }
 }
+
+/** YamlDotNet.Serialization.Deserializer */
+private class YamlDotNetDeserializerClass extends Class {
+  YamlDotNetDeserializerClass() { this.hasQualifiedName("YamlDotNet.Serialization.Deserializer") }
+}
+
+/** `YamlDotNet.Serialization.Deserializer.Deserialize` method */
+class YamlDotNetDeserializerClasseserializeMethod extends Method, UnsafeDeserializer {
+  YamlDotNetDeserializerClasseserializeMethod() {
+    exists(YamlDotNetDeserializerClass c |
+      this.getDeclaringType().getBaseClass*() = c and
+      this.hasName("Deserialize") and
+      c.getALocation().(Assembly).getVersion().getMajor() < 5
+    )
+  }
+}