sdk/python/Deserialization/PyPickle
Deserialization

PyPickle

The pickle module for Python object serialization. pickle.load() and pickle.loads() execute arbitrary code during deserialization via __reduce__ — always unsafe with untrusted input. Use json or signed payloads instead.

3 sinks
Taint flow0 sources 3 sinks
Sinks — dangerous call
.load()
.loads()
.Unpickler()
Quick-start rule — copy and run
from codepathfinder.python_decorators import python_rule
from codepathfinder import calls, flows
from codepathfinder.presets import PropagationPresets


@python_rule(
    id="PYTHON-DESER-001",
    name="Unsafe Pickle Deserialization",
    severity="CRITICAL",
    category="deserialization",
    cwe="CWE-502",
    owasp="A08:2021",
    message="Untrusted data flows to pickle.loads(). Use json.loads() or signed payloads.",
)
def detect_pickle_deserialization():
    return flows(
        from_sources=[
            calls("request.data"),
            calls("request.get_data"),
            calls("*.read"),
            calls("*.recv"),
        ],
        to_sinks=[calls("pickle.loads"), calls("pickle.load")],
        sanitized_by=[calls("hmac.compare_digest"), calls("*.verify_signature")],
        propagates_through=PropagationPresets.standard(),
        scope="local",
    )
pathfinder scan --ruleset custom/security --project .

Sinks

.load()Sink
#
Signature
pickle.load(file: IO) -> Any

Reads a pickled object from a file. Arbitrary-code-execution sink on untrusted data.

tracks:0
.loads()Sink
#
Signature
pickle.loads(data: bytes) -> Any

Deserializes a pickle byte string. RCE sink on untrusted data.

tracks:0
.Unpickler()Sink
#
Signature
pickle.Unpickler(file: IO) -> Unpickler

Stateful unpickler. The load() method is the sink.

tracks:0

Fully-Qualified Names

FQNField
picklefqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyPickle

Rules Using This Class

PYTHON-DESER-001
Next →PyPickletools