marshal — load

Deserialization of Untrusted Data in the marshal Module

The Python marshal module provides a way to serialize and deserialize Python objects. However, it is important to be aware that malicious data can be used to attack applications that use the marshal module. For example, a malicious data could be used to cause the decoder to execute arbitrary code.

Example

import marshal


data = {'name': 'John Doe', 'age': 30}

with open('data.dat', 'wb') as f:
    marshal.dump(data, f)

with open('data.dat', 'rb') as f:
    loaded_data = marshal.load(f)

Example Output

> precli tests/unit/rules/python/stdlib/marshal/examples/marshal_load.py
⚠️  Warning on line 10 in tests/unit/rules/python/stdlib/marshal/examples/marshal_load.py
PY011: Deserialization of Untrusted Data
Potential unsafe usage of 'marshal.load' that can allow instantiation of arbitrary objects.

Remediation

To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

Default Configuration

enabled = true
level = "warning"

See also

Info

• marshal — Internal Python object serialization
• CWE-502: Deserialization of Untrusted Data

New in version 0.1.0