suspicious-pickle-import (S403)
Derived from the flake8-bandit linter.
This rule is unstable and in preview. The --preview
flag is required for use.
What it does
Checks for imports of the pickle
, cPickle
, dill
, and shelve
modules.
Why is this bad?
It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Consider possible security implications associated with these modules.
Example
/// ## References