Deserialization of Untrusted Data in the marshal Module

PY011

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

---

The Python marshal module provides a way to serialize and deserialize Python objects. However, it is important to be aware that malicious data can be used to attack applications that use the marshal module. For example, malicious data could be used to cause the decoder to execute arbitrary code.

Example

import marshal


data = {'name': 'John Doe', 'age': 30}

with open('data.dat', 'wb') as f:
    marshal.dump(data, f)

with open('data.dat', 'rb') as f:
    loaded_data = marshal.load(f)

Remediation

To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY011) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

import marshal


data = {'name': 'John Doe', 'age': 30}

with open('data.dat', 'wb') as f:
    marshal.dump(data, f)

with open('data.dat', 'rb') as f:
    # suppress: PY011
    loaded_data = marshal.load(f)

Using category name

fix

import marshal


data = {'name': 'John Doe', 'age': 30}

with open('data.dat', 'wb') as f:
    marshal.dump(data, f)

with open('data.dat', 'rb') as f:
    # suppress: deserialization_of_untrusted_data
    loaded_data = marshal.load(f)

See also

info

• marshal — Internal Python object serialization
• CWE-502: Deserialization of Untrusted Data