Closed franciscosanchezoliver closed 3 months ago
Aloqeely
commented
3 months ago This sounds like a problem with fortify rather than pandas to me, have you tried contacting them instead?
is it possible to address this concern directly within the pandas library to enhance its security profile?
No, the nature of how pickling works allows people to construct malicious pickle data, there is nothing we can do about that.
mroeschke
commented
3 months ago Thanks for the issue, but please view https://github.com/pandas-dev/pandas/issues/48049 and related issues. As you mentioned you don't use read_pickle in your codebase so you should be safe to ignore that warning. Closing
franciscosanchezoliver
commented
3 months ago Thank you very much @Aloqeely and @mroeschke for the clarification. I have opened a ticket to Fortify as this is not a problem with Pandas.
Research
[X] I have searched the [pandas] tag on StackOverflow for similar questions.
[X] I have asked my usage related question on StackOverflow.
Link to question on StackOverflow
https://stackoverflow.com/questions/78683485/critical-vulnerability-detection-in-pandas-library-by-fortify-due-to-read-pickle
Question about pandas
Our company utilizes the pandas library extensively in our software. However, Fortify, our security analysis tool,flags pandas as having a critical vulnerability due to the read_pickle function, which has the potential to execute malicious code. Note that we do not use the read_pickle function in our codebase, but Fortify still identifies this as a critical issue.
We have tried to solve this by importing only specific submodules of pandas that we use (to avoid importing the entire library) but Fortify continues to detect the critical vulnerability associated with read_pickle.
We wonder if there is a solution to this issue. Is there a way to structure our imports or configure pandas to avoid including read_pickle entirely?
Alternatively, is it possible to address this concern directly within the pandas library to enhance its security profile?