python.lang.security.audit.conn_recv.multiprocessing-recv

rules:
  - id: multiprocessing-recv
    languages:
      - python
    message: "The Connection.recv() method automatically unpickles the data it
      receives, which can be a security risk unless you can trust the process
      which sent the message. Therefore, unless the connection object was
      produced using Pipe() you should only use the recv() and send() methods
      after performing some sort of authentication. See more dettails:
      https://docs.python.org/3/library/multiprocessing.html?highlight=security\
      #multiprocessing.connection.Connection"
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    pattern-either:
      - pattern: multiprocessing.connection.Connection.recv(...)
      - pattern: multiprocessing.connection.Client.recv(...)
      - pattern: |
          $C = multiprocessing.connection.Client(...)
          ...
          $C.recv(...)
    severity: WARNING