rspec/rules/S5135/common/fix/safer-serialization.adoc

==== More secure serialization methods

Some more secure serialization methods reduce the risk of security breaches,
although not definitively.

A complete object serializer is probably unnecessary if you only need to
receive primitive data (for example integers, strings, bools, etc.). +
In this case, formats such as JSON and XML protect the application from
deserialization attacks by default.

For more complex objects, the next step is to control which class fields are
exposed by creating class-specific serialization methods. +
The most common method is to use Data Transfer Objects (DTO) patterns or Google
Protocol Buffers (protobufs). After creating the Protobuf data structure, the
Protobuf compiler creates class files that handle operations such as
serializing and deserializing data.
Modify Rule S5135(common text): Education Framework (APPSEC-75) (#1171) 2022-08-29 11:50:51 +02:00			`==== More secure serialization methods`

			`Some more secure serialization methods reduce the risk of security breaches,`
			`although not definitively.`

			`A complete object serializer is probably unnecessary if you only need to`
			`receive primitive data (for example integers, strings, bools, etc.). +`
			`In this case, formats such as JSON and XML protect the application from`
			`deserialization attacks by default.`

			`For more complex objects, the next step is to control which class fields are`
			`exposed by creating class-specific serialization methods. +`
			`The most common method is to use Data Transfer Objects (DTO) patterns or Google`
			`Protocol Buffers (protobufs). After creating the Protobuf data structure, the`
			`Protobuf compiler creates class files that handle operations such as`
			`serializing and deserializing data.`