gitlab.bandit.B301-4

385

Download Count*

License

Avoid using shelve, which uses pickle, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B301-4
    pattern-either:
      - pattern: shelve.$FUNC(...)
    message: >
      Avoid using `shelve`, which uses `pickle`, which is known to lead to code
      execution vulnerabilities.

      When unpickling, the serialized data could be manipulated to run arbitrary code.

      Instead, consider serializing the relevant data as JSON or a similar text-based

      serialization format.
    metadata:
      cwe: "CWE-502: Deserialization of Untrusted Data"
      owasp: "A8: Insecure Deserialization"
      primary_identifier: bandit.B301-4
      secondary_identifiers:
        - name: Bandit Test ID B301
          type: bandit_test_id
          value: B301
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/Zer4