sdk/python/Deserialization/PyMarshal

PyMarshal

The marshal module for Python internal object serialization. Like pickle, marshal.load() / marshal.loads() execute code paths determined by the input bytes — unsafe on untrusted data. The module is undocumented for general use.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.load()Reads a marshalled object

.loads()Deserializes marshal bytes

Sinks

— dangerous functions taint must not reach

.load()Sink

Signature

marshal.load(file: IO) -> Any

Reads a marshalled object. Unsafe deserialization sink.

tracks:0

.loads()Sink

Signature

marshal.loads(bytes) -> Any

Deserializes marshal bytes. Unsafe on untrusted input.

tracks:0

Fully-Qualified Names

FQN	Field
marshal	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyMarshal

← PreviousPyLxml

Next →PyPickle