shelve — open

Deserialization of Untrusted Data in the shelve Module

The Python shelve module provides a way to store Python objects in a file. It is backed by the pickle module, which is a serialization format that can be used to store arbitrary Python objects.

However, it is important to be aware that the shelve module is not secure against malicious data. For example, a malicious shelf could be used to cause the decoder to execute arbitrary code.

Example

import shelve


with shelve.open("db.dat") as db:
    flag = "key" in db

Example Output

> precli tests/unit/rules/python/stdlib/shelve/examples/shelve_open_context_mgr.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/shelve/examples/shelve_open_context_mgr.py
PY015: Deserialization of Untrusted Data
Potential unsafe usage of 'shelve.open' that can allow instantiation of arbitrary objects.

Remediation

To avoid this vulnerability, it is important to only use the shelve module with data from trusted sources. If you are using the shelve module with data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

Default Configuration

enabled = true
level = "warning"

See also

Info

• shelve — Python object persistence
• CWE-502: Deserialization of Untrusted Data

New in version 0.1.0