PSA: Don't ever use inbuilt deserialization libraries to deserialize untrusted/remote data. In any language. Ever. It's often direct RCE.
This is really a shame because there are so many ways it could be done right, but lang/stdlib designers have backwards values.
-
-
If it's a generic deserializer that does reflective construction under the hood, I'm not sure there is a way to do it securely.
-
You presume I consider any form of construction not to be harmful expressiveness. :-)
-
Jokes aside, pure functional construction could be safe. But ability of construction to have side effects is problematic.
End of conversation
New conversation -
-
-
They see expressive power as a feature rather than a bug.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.