Message398347
There are a number of techniques for reading external files and loading their content into (de/serializing) Python objects. Pickle is one such powerful serialization technique that is inherently risky, especially when an attacker tampers with serialized data.
Data from external sources is never secure. As a rule of thumb, never unpickle or parse data from an untrusted source into Python objects. This is because an attacker can use a subprocess module to execute arbitrary commands during pickling.
Additionally, YAML files from user input can leave your application open to attacks. To avoid this, use PyYAML safe_loadfunction (yaml.safe_load) to handle YAML serialization.
Here is a simple custom code that can be used to find all unsafe yaml.load functions in your codebase. |
|
Date |
User |
Action |
Args |
2021-07-28 06:37:24 | joker | set | recipients:
+ joker |
2021-07-28 06:37:24 | joker | set | messageid: <1627454244.04.0.843143587148.issue44757@roundup.psfhosted.org> |
2021-07-28 06:37:24 | joker | link | issue44757 messages |
2021-07-28 06:37:23 | joker | create | |
|