Skip to content

suspicious-pickle-import (S403)#

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does#

Checks for imports of the pickle, cPickle, dill, and shelve modules.

Why is this bad?#

It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Consider possible security implications associated with these modules.

Example#

import pickle
/// ## References - Python Docs