trailofbits.python.scikit-joblib-load.scikit-joblib-load

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Scikit joblib uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. Consider using skops instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: scikit-joblib-load
    message: Scikit `joblib` uses pickle under the hood. Functions reliant on pickle
      can result in arbitrary code execution. Consider using `skops` instead.
    languages:
      - python
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-502: Deserialization of Untrusted Data"
      subcategory:
        - vuln
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      technology:
        - scikit
      description: Potential arbitrary code execution from `SciKit.Joblib` functions
        reliant on pickling
      references:
        - https://scikit-learn.org/stable/model_persistence.html
      license: AGPL-3.0 license
      vulnerability_class:
        - "Insecure Deserialization "
    patterns:
      - pattern: joblib.load(...)
      - pattern-not: joblib.load("...")

Examples

scikit-joblib-load.py

import joblib
import skops.io as sio

path = "test.joblib"

# ok: scikit-joblib-load
joblib.load(path)

# ruleid: scikit-joblib-load
joblib.load(input())

def test(param):
    param += ".joblib"

    # ruleid: scikit-joblib-load
    x = joblib.load(param)

    # ok: scikit-joblib-load
    unknown_types = sio.get_untrusted_types(param)
    clf = sio.loads(param, trusted=unknown_types)

    # ok: scikit-joblib-load
    clf = sio.loads(param, trusted=True)

    return x, clf