Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.
1def untrusted_deserialization_noncompliant():
2 import jsonpickle
3 userobj = input("user")
4 # Noncompliant: Untrusted object deserialized without validation.
5 obj = jsonpickle.decode(userobj)
6 return obj
1def untrusted_deserialization_compliant():
2 import jsonpickle
3 userobj = input("user")
4 allowed_user_obj = ['example_module1', 'example_module2']
5 # Compliant: Untrusted object is validated before deserialization.
6 if userobj in allowed_user_obj:
7 obj = jsonpickle.decode(userobj)
8 return obj