Deserialization of Untrusted Data in jsonpickle Module

PY509

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

🔒 Professional Plan

---

The Python jsonpickle module is a serialization module that can be used to serialize and deserialize Python objects to and from JSON. Pickle is not secure because it can be used to deserialize malicious code. For example, an attacker could create a pickle file that contains malicious code and then trick a user into opening the file. When the user opens the file, the malicious code would be executed.

Example

import jsonpickle


pick = jsonpickle.encode({'a': 'b', 'c': 'd'})
jsonpickle.decode(pick)

Remediation

Consider signing data with hmac if you need to ensure that pickle data has not been tampered with.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY509) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

import jsonpickle


pick = jsonpickle.encode({'a': 'b', 'c': 'd'})
# suppress: PY509
jsonpickle.decode(pick)

Using category name

fix

import jsonpickle


pick = jsonpickle.encode({'a': 'b', 'c': 'd'})
# suppress: deserialization_of_untrusted_data
jsonpickle.decode(pick)

See also

info

• jsonpickle Documentation
• CWE-502: Deserialization of Untrusted Data
• pickle — Python object serialization