Comment by alexvitkov
6 days ago
In isolation, for any one particular bug, yes, but if you start applying this logic to everything, even problems as simple as reading some bytes from a file, you end up with a heao of dependencies for the most mundane things. We've tried that, it's bad.
I don't believe we must apply any guideline ad absurdum. Using a battle tested marshalling/serialization library is clearly the way to go most often. Of course, one can still construct difficult to parse XML and JSON or any other blob for any given format, but the chances that bad input will result in an RCE are lower.
On the contrary, we've tried it and it works great.
No, I think in general you should trust other people with experience in an area more than your own naive self. Division of labor and all that.
There are exceptions, as always, but using dependencies is good as a first approximation.