Deserialization of Untrusted Data in the shelve Module

PY015

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

---

The Python shelve module provides a way to store Python objects in a file. It is backed by the pickle module, which is a serialization format that can be used to store arbitrary Python objects.

However, it is important to be aware that the shelve module is not secure against malicious data. For example, a malicious shelf could be used to cause the decoder to execute arbitrary code.

Example

import shelve


with shelve.open('spam') as db:
    db['eggs'] = 'eggs'

Remediation

To avoid this vulnerability, it is important to only use the shelve module with data from trusted sources. If you are using the shelve module with data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY015) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

import shelve


# suppress: PY015
with shelve.open('spam') as db:
    db['eggs'] = 'eggs'

Using category name

fix

import shelve


# suppress: deserialization_of_untrusted_data
with shelve.open('spam') as db:
    db['eggs'] = 'eggs'

See also

info

• shelve — Python object persistence
• CWE-502: Deserialization of Untrusted Data