gitlab.bandit.B302

385

Download Count*

License

The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B302
    pattern-either:
      - pattern: marshal.dump(...)
      - pattern: marshal.dumps(...)
      - pattern: marshal.load(...)
      - pattern: marshal.loads(...)
    message: >
      The marshal module is not intended to be secure against erroneous or
      maliciously constructed data.

      Never unmarshal data received from an untrusted or unauthenticated source.

      See more details: https://docs.python.org/3/library/marshal.html?highlight=security
    metadata:
      cwe: "CWE-502: Deserialization of Untrusted Data"
      owasp: "A8: Insecure Deserialization"
      primary_identifier: bandit.B302
      secondary_identifiers:
        - name: Bandit Test ID B302
          type: bandit_test_id
          value: B302
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/ZkeD