00:00:00

Pickles Bite

Notes

What's a pickle to a pythonista?

Notes

Quick example

import pickle
qux = [1, None, ('ned', 0)]
my_object = {'foo': 'bar', 'baz': qux}

my_pickle = pickle.dumps(my_object)

print my_pickle

Notes

Outputs a special, serialized format in a mini-language

(dp0
S'foo'
p1
S'bar'
p2
sS'baz'
p3
(lp4
I1
aNa(S'ned'
p5
I0
tp6
as.

Notes

Then, later on another machine or in another session:

my_object = pickle.loads(my_pickle)

Notes

With great power comes great responsibility.

Notes

Pickles are fundamentally insecure.

Notes

Why pickles are insecure:

Generating arbitrary objects requires running arbitrary code.
This is a feature, not a bug.

Notes

Pickle bomb in <10 lines

import subprocess
import pickle

class Dangerous(object):
    def __reduce__(self):
        # This particular payload works on OSX.
        return (
            subprocess.Popen, 
            (('say', 'You are having a very bad day.'),))

dangerous_pickle = pickle.dumps(Dangerous())

# Don't do it!
some_object = pickle.loads(dangerous_pickle)

Notes

Do not despair!

Other serialization formats:

JSON
CSV
XML
YAML

Bonus: they're compatible with other languages and they're human readable.

Notes

Maybe despair a little bit!

These formats and their associated deserializers have had a handful of problems over the years.

IANASR, this is not advice, it's an observation:

Simpler is generally more secure (e.g. JSON represents only float, int, dict, list...)
Use libraries -- don't set yourself up for injection.
Will other platforms trust it (e.g. CSV injection)?
Don't go around trusting user input!

Notes

Questions?

Sources:
- The python docs!
- https://blog.nelhage.com/2011/03/exploiting-pickle/

Table of contents	t
Exposé	ESC
Autoscale	e
Full screen slides	f
Presenter view	p
Source files	s
Slide numbers	n
Blank screen	b
Notes	2
Help	h

Table of Contents

Help