Deserialization of Untrusted Data in the dill Module

PY506

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

🔒 Professional Plan

---

The Python dill module provides a way to serialize and deserialize Python objects. However, it is important to be aware that malicious data can be used to attack applications that use the dill module. For example, malicious data could be used to cause the decoder to execute arbitrary code.

Example

import dill


pick = dill.dumps({'a': 'b', 'c': 'd'})
dill.loads(pick)

Remediation

To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY506) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

import dill


pick = dill.dumps({'a': 'b', 'c': 'd'})
# suppress: PY506
dill.loads(pick)

Using category name

fix

import dill


pick = dill.dumps({'a': 'b', 'c': 'd'})
# suppress: deserialization_of_untrusted_data
dill.loads(pick)

See also

info

• dill package documentation
• CWE-502: Deserialization of Untrusted Data