python.lang.security.audit.marshal.marshal-usage

Community Favorite
profile photo of semgrepsemgrep
Author
71,865
Download Count*
LGPL Commons Clause
License

The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: marshal-usage
    languages:
      - python
    message: "The marshal module is not intended to be secure against erroneous or
      maliciously constructed data. Never unmarshal data received from an
      untrusted or unauthenticated source. See more details:
      https://docs.python.org/3/library/marshal.html?highlight=security"
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.python.org/3/library/marshal.html?highlight=security
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    pattern-either:
      - pattern: marshal.dump(...)
      - pattern: marshal.dumps(...)
      - pattern: marshal.load(...)
      - pattern: marshal.loads(...)
    severity: WARNING

Examples

marshal.py

import marshal

fin = open('index.mar')
for line in fin:
    # ruleid: marshal-usage
    marshal.dumps(line)

for line in fin:
    # ok: marshal-usage
    marshal.someokfunc(line)