Merge pull request #2209 from hvitved/csharp/deserialized-delegate

Approved by calumgrant, jf205

Author: semmle-qlci

change-notes/1.23/analysis-csharp.md

@@ -8,6 +8,7 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
 | Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
 | Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
 

csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql

@@ -5,14 +5,11 @@
  * @kind problem
  * @id cs/deserialized-delegate
  * @problem.severity warning
+ * @precision high
  * @tags security
  *       external/cwe/cwe-502
  */
 
-/*
- * consider: @precision high
- */
-
 import csharp
 import semmle.code.csharp.frameworks.system.linq.Expressions
 import semmle.code.csharp.serialization.Deserializers