Closed pixeebot[bot] closed 2 months ago
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
83.3% Duplication on New Code
I'm confident in this change, and the CI checks pass, too!
If you see any reason not to merge this, or you have suggestions for improvements, please let me know!
Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!
You can also customize me to make sure I'm working with you in the way you want.
Python's
pickle
module is notoriouly insecure. While it is very useful for serializing and deserializing Python objects, it is not safe to usepickle
to load data from untrusted sources. This is becausepickle
can execute arbitrary code when loading data. This can be exploited by an attacker to execute arbitrary code on your system. Unlikeyaml
there is no concept of a "safe" loader inpickle
. Therefore, it is recommended to avoidpickle
and to use a different serialization format such asjson
oryaml
when working with untrusted data.However, if you must use
pickle
to load data from an untrusted source, we recommend using the open-sourcefickling
library.fickling
is a drop-in replacement forpickle
that validates the data before loading it and checks for the possibility of code execution. This makes it much safer (although still not entirely safe) to usepickle
to load data from untrusted sources.This codemod replaces calls to
pickle.load
withfickling.load
in Python code. It also adds an import statement forfickling
if it is not already present.The changes look like the following:
Dependency Updates
This codemod relies on an external dependency. We have automatically added this dependency to your project's
pyproject.toml
file.This package provides analysis of pickled data to help identify potential security vulnerabilities.
There are a number of places where Python project dependencies can be expressed, including
setup.py
,pyproject.toml
,setup.cfg
, andrequirements.txt
files. If this change is incorrect, or if you are using another packaging system such aspoetry
, it may be necessary for you to manually add the dependency to the proper location in your project.More reading
* [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html) * [https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data) * [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#clear-box-review_1](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#clear-box-review_1) * [https://github.com/trailofbits/fickling](https://github.com/trailofbits/fickling)🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:python/harden-pickle-load