Deserialization of Untrusted Data in the marshal Module
PY011
deserialization_of_untrusted_data
CWE-502
⚠️ Warning
The Python marshal module provides a way to serialize and deserialize
Python objects. However, it is important to be aware that malicious data
can be used to attack applications that use the marshal module. For example,
malicious data could be used to cause the decoder to execute arbitrary code.
Example
warning
import marshal
data = {'name': 'John Doe', 'age': 30}
with open('data.dat', 'wb') as f:
marshal.dump(data, f)
with open('data.dat', 'rb') as f:
loaded_data = marshal.load(f)
Remediation
fix
To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY011) or
rule category name (deserialization_of_untrusted_data).
- Using rule ID
- Using category name
fix
import marshal
data = {'name': 'John Doe', 'age': 30}
with open('data.dat', 'wb') as f:
marshal.dump(data, f)
with open('data.dat', 'rb') as f:
# suppress: PY011
loaded_data = marshal.load(f)
fix
import marshal
data = {'name': 'John Doe', 'age': 30}
with open('data.dat', 'wb') as f:
marshal.dump(data, f)
with open('data.dat', 'rb') as f:
# suppress: deserialization_of_untrusted_data
loaded_data = marshal.load(f)