Azure · hallvictoria · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026
@@ -6,6 +6,13 @@
 from importlib import import_module
 
 
+_DESERIALIZATION_LIST = {
+    'azure.functions._cosmosdb': {'Document'},
+    'azure.functions._sql': {'SqlRow'},
+    'azure.functions._mysql': {'MySqlRow'},
+}
+
+
 # Utilities
 def _serialize_custom_object(obj):
     """Serialize a user-defined object to JSON.
@@ -62,6 +69,8 @@ def _deserialize_custom_object(obj: dict) -> object:
 
     Exceptions
     ----------
+    ValueError
+        If the module or class is not in the deserialization list
     TypeError
         If the decoded object does not contain a `from_json` function
     """
@@ -70,7 +79,23 @@ def _deserialize_custom_object(obj: dict) -> object:
         module_name = obj.pop("__module__")
         obj_data = obj.pop("__data__")
 
-        # Importing the clas
+        # Validate module and class
+        if module_name not in _DESERIALIZATION_LIST:
+            raise ValueError(
+                f"Deserialization of module '{module_name}' is not allowed. "
+                f"Only the following modules are permitted: "
+                f"{', '.join(_DESERIALIZATION_LIST.keys())}"
+            )
+
+        allowed_classes = _DESERIALIZATION_LIST[module_name]
+        if class_name not in allowed_classes:
+            raise ValueError(
+                f"Deserialization of class '{class_name}' from module "
+                f"'{module_name}' is not allowed. "
+                f"Only the following classes are permitted: "
+                f"{', '.join(allowed_classes)}"
+            )
+
         module = import_module(module_name)
         class_ = getattr(module, class_name)