python.lang.security.audit.marshal.marshal-usage

Community Favorite

returntocorp

Author

71,865

Download Count*

License

The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: marshal-usage
    languages:
      - python
    message: "The marshal module is not intended to be secure against erroneous or
      maliciously constructed data. Never unmarshal data received from an
      untrusted or unauthenticated source. See more details:
      https://docs.python.org/3/library/marshal.html?highlight=security"
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.python.org/3/library/marshal.html?highlight=security
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - pattern: marshal.dump(...)
      - pattern: marshal.dumps(...)
      - pattern: marshal.load(...)
      - pattern: marshal.loads(...)
    severity: WARNING

Examples

marshal.py

import marshal

fin = open('index.mar')
for line in fin:
    # ruleid: marshal-usage
    marshal.dumps(line)

for line in fin:
    # ok: marshal-usage
    marshal.someokfunc(line)

Short Link: https://sg.run/3xor