From 128b2369c9ebfa9cbf9534034814096a3d269cd8 Mon Sep 17 00:00:00 2001
From: Jasper Sival <49187354+jaspersival@users.noreply.github.com>
Date: Fri, 8 Jul 2022 06:14:25 +0200
Subject: [PATCH] Blacklist pandas read_pickle and add functional test for it
 (#710)

* Blacklist pandas read_pickle and add functional test for it

* Update test-requirements.txt

* Update test_functional.py

* Update test_functional.py

Co-authored-by: Jasper Sival <jasper.sival@rabobank.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
---
 bandit/blacklists/calls.py          |  2 ++
 examples/pandas_read_pickle.py      | 12 ++++++++++++
 tests/functional/test_functional.py |  8 ++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 examples/pandas_read_pickle.py

diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
index 079da90d1..977dbcd98 100644
--- a/bandit/blacklists/calls.py
+++ b/bandit/blacklists/calls.py
@@ -35,6 +35,7 @@
 |      |                     | - jsonpickle.decode                |           |
 |      |                     | - jsonpickle.unpickler.decode      |           |
 |      |                     | - jsonpickle.unpickler.Unpickler   |           |
+|      |                     | - pandas.read_pickle               |           |
 +------+---------------------+------------------------------------+-----------+
 
 B302: marshal
@@ -358,6 +359,7 @@ def gen_blacklist():
                 "jsonpickle.decode",
                 "jsonpickle.unpickler.decode",
                 "jsonpickle.unpickler.Unpickler",
+                "pandas.read_pickle",
             ],
             "Pickle and modules that wrap it can be unsafe when used to "
             "deserialize untrusted data, possible security issue.",
diff --git a/examples/pandas_read_pickle.py b/examples/pandas_read_pickle.py
new file mode 100644
index 000000000..61174f678
--- /dev/null
+++ b/examples/pandas_read_pickle.py
@@ -0,0 +1,12 @@
+import pickle
+import pandas as pd
+
+
+df = pd.DataFrame(
+    {
+        "col_A": [1, 2]
+    }
+)
+pick = pickle.dumps(df)
+
+print(pd.read_pickle(pick))
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index 2005d1e6c..1d1bd7e47 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -377,6 +377,14 @@ def test_jsonpickle(self):
         }
         self.check_example("jsonpickle.py", expect)
 
+    def test_pandas_read_pickle(self):
+        """Test for the `pandas.read_pickle` module."""
+        expect = {
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 1, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2},
+        }
+        self.check_example("pandas_read_pickle.py", expect)
+
     def test_popen_wrappers(self):
         """Test the `popen2` and `commands` modules."""
         expect = {