avoid unsafe function to (de)serialize data
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: python-security/deserialize-untrusted-data
Language: Python
Severity: Notice
Category: Security
CWE: 502
Description
Do not deserialize untrusted data. Make sure you use alternatives to check that the data can be deserialized safely. There is no workaround around this: unless you really trust the data source, it’s better to use another way to exchange data, such as an API or other protocols such as protobuf or thrift.
Learn More
Non-Compliant Code Examples
import marshal
person = {"name":"xyz", "age":22, "marks":[45,56,78]}
data = marshal.dumps(person)
obj = marshal.loads(data)
import pickle
data = pickle.loads(data)
Compliant Code Examples
import pickle
data = pickle.loads(data)
data = pickle.loads(data)
