Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Faust should not use the unsecure pickle.loads #738

Open
olivier-heurtier opened this issue Oct 11, 2021 · 0 comments
Open

Faust should not use the unsecure pickle.loads #738

olivier-heurtier opened this issue Oct 11, 2021 · 0 comments

Comments

@olivier-heurtier
Copy link

Faust latest version (1.10.4) still makes use of the pickle.loads function, even if it is marked in Python documentation as "not secure".
This is reported by tools such as NexusIQ as a major vulnerability, with potentially a no go for production in sensitive projects.

Since the "raw_pickle" serializer is rather trivial, I propose to remove it from the code and move it into the documentation. People who really need it will be able easily to add it in their own project (at their own risk).
@olivier-heurtier olivier-heurtier changed the title Faust should not used the unsecure pickle.loads Faust should not use the unsecure pickle.loads Oct 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@olivier-heurtier