Merge pull request #13781 from maikypedia/maikypedia/python-unsafe-deserialization

Python: Add unsafe deserialization sinks (CWE-502)
2026-05-04 13:15:21 +02:00 · 2023-10-10 13:30:38 +02:00
parent 542d5a2451 f3acc89900
commit 2d947a4f53
16 changed files with 153 additions and 2 deletions
--- a/python/ql/lib/change-notes/2023-07-20-add-unsafe-deserialization-sinks.md
+++ b/python/ql/lib/change-notes/2023-07-20-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.