Usage of unsafe Pickle libraries

• Rule ID: python_lang_avoid_pickle
• Languages: python
• Source: avoid_pickle.yml

Description

Using pickle, _pickle and cPickle can make your application vulnerable to unsafe code execution. This is because the deserialization logic of these libraries allows for arbitrary code execution. It is best practices to avoid these libraries and to use a safer serialization formats like JSON.

Remediations

• Do not use pickle or its derivatives for deserialization wherever possible. These libraries are open to security vulnerabilities.
• Do use recommended safer formats like JSON, Protocol Buffers (protobuf) and MessagePack.

    import msgpack #MessagePack
  
    data = {'key': 'value'}
    packed_data = msgpack.packb(data)

References

• OWASP Deserialization cheat sheet

Associated CWE

• CWE-502: Deserialization of Untrusted Data

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_avoid_pickle

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_avoid_pickle