suspicious-pickle-import (S403)
Preview (since v0.1.12) · Related issues · View source
Derived from the flake8-bandit linter.
This rule is unstable and in preview. The --preview flag is required for use.
What it does
Checks for imports of the pickle, cPickle, dill, and shelve modules.
Why is this bad?
It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Consider possible security implications associated with these modules.