implications associated with Python(pickle) module.
I am working on a vulnerability issue of the Pickle module in open-zgy. https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/open-zgy/-/security/vulnerabilities/18266
The pickle library’s documentation discourages the unpickling of untrusted data. Currently, deserialization is happening with a simple approach. To prevent unsafe deserialization there are multiple approaches are there.
- Implementing a message authentication code (MAC) to ensure the data integrity of the payload. (hmac and hashlib)
- Run the deserialization code with limited access permissions.
- Validate Inputs.
I would like to hear which will best suit it as well as compatibility option for all existing things.