Python Unsafe Deserialization Method
Description
Detects unsafe deserialization of untrusted data in Python code. When malicious serialized data is deserialized using unsafe functions like pickle.loads() or yaml.load(), it can lead to arbitrary code execution. This vulnerability allows attackers to execute malicious code by supplying carefully crafted serialized data.
Detection Strategy
• Identifies calls to unsafe deserialization functions like pickle.loads(), yaml.load() (without SafeLoader), or marshal.loads()
• Reports a vulnerability when these functions are called with potentially untrusted input data
• Checks if the deserialization function is used without appropriate input validation or sanitization
• Flags usage of dangerous deserialization methods even if they are imported under different names or accessed through module attributes
Vulnerable code example
import pickle
from yaml import load, Loader
def process_user_data(file_data, yaml_data):
# Unsafe: Deserializes untrusted input which can execute arbitrary code
pickle.load(file_data)
# Unsafe: Uses yaml.load with unsafe Loader which allows code execution...✅ Secure code example
import pickle
import json
from yaml import safe_load # Use safe_load instead of load+Loader
def process_user_data(file_data, yaml_data):
# Safe: Use json.loads for untrusted data instead of pickle
data = json.loads(file_data)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.