diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index c81e1cd88..079da90d1 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -32,6 +32,9 @@ | | | - dill.Unpickler | | | | | - shelve.open | | | | | - shelve.DbfilenameShelf | | +| | | - jsonpickle.decode | | +| | | - jsonpickle.unpickler.decode | | +| | | - jsonpickle.unpickler.Unpickler | | +------+---------------------+------------------------------------+-----------+ B302: marshal @@ -352,6 +355,9 @@ def gen_blacklist(): "dill.Unpickler", "shelve.open", "shelve.DbfilenameShelf", + "jsonpickle.decode", + "jsonpickle.unpickler.decode", + "jsonpickle.unpickler.Unpickler", ], "Pickle and modules that wrap it can be unsafe when used to " "deserialize untrusted data, possible security issue.", diff --git a/examples/jsonpickle.py b/examples/jsonpickle.py new file mode 100644 index 000000000..e8aa290c5 --- /dev/null +++ b/examples/jsonpickle.py @@ -0,0 +1,10 @@ +import jsonpickle + + +pick = jsonpickle.encode({'a': 'b', 'c': 'd'}) + +print(jsonpickle.decode(pick)) + +print(jsonpickle.unpickler.decode(pick)) + +print(jsonpickle.unpickler.Unpickler().restore(pick)) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 7b83d7934..2005d1e6c 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -369,6 +369,14 @@ def test_shelve(self): } self.check_example("shelve_open.py", expect) + def test_jsonpickle(self): + """Test for the `jsonpickle` module.""" + expect = { + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 3, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3}, + } + self.check_example("jsonpickle.py", expect) + def test_popen_wrappers(self): """Test the `popen2` and `commands` modules.""" expect = {