0

I'm aware that there are potentially severe security implications to pickling/unpickling. I was planning to use pickling as a way to store and transfer an object instance in a Django model using jsonpickle. I was also going to use a hash or signature to verify the integrity of the pickle prior to unpickling (i.e. send the hash, then send the pickle, whatever).

Since my own code would be producing the pickled object, would this method be safe enough (relatively or absolutely), assuming any object in transit would be encrypted as well?

Brian
  • 642
  • 7
  • 18

1 Answers1

0

If you just pass JSON (encrypted because of, say, an https connection is used), you eliminate the arbitrary code execution risk inherent to pickle. And you can validate the data before using it. You just have to worry about accepting the data from someone (and that's about authentication) allowed to communicate with you.

You can customize the JSON serialization it it doesn't support the type you want.

Exchanging JSON is pretty common with REST API's for example.

This looks safe (I am not a security expert though) and much simpler.

progmatico
  • 4,714
  • 1
  • 16
  • 27