Deserialization of Untrusted Data in the dill Moduleâ
đ PY506
đˇī¸ deserialization_of_untrusted_data
âšī¸ CWE-502
â ī¸ Warning
đ Professional Plan
The Python dill module provides a way to serialize and deserialize
Python objects. However, it is important to be aware that malicious data
can be used to attack applications that use the dill module. For example,
malicious data could be used to cause the decoder to execute arbitrary code.
Exampleâ
import dill
pick = dill.dumps({'a': 'b', 'c': 'd'})
dill.loads(pick)
Remediationâ
To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.
False Positivesâ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY506) or
rule category name (deserialization_of_untrusted_data).
- Using rule ID
- Using category name
fix
import dill
pick = dill.dumps({'a': 'b', 'c': 'd'})
# suppress: PY506
dill.loads(pick)
fix
import dill
pick = dill.dumps({'a': 'b', 'c': 'd'})
# suppress: deserialization_of_untrusted_data
dill.loads(pick)