Stop using pickle already. Seriously, stop it! — mina86.com
mina86.com

It is common knowledge that pickle is a serious security risk. And yet, vulnerabilities involving that serialisation format keep happening. In the article I shortly describe the issue and appeal to people to stop using pickle.

  • mina86@lemmy.wtfOPEnglish
    3·
    22 天前

    Joblib has the same drawback as pickle. From the documentation:

    joblib.dump() and joblib.load() are based on the Python pickle serialization model, which means that arbitrary Python code can be executed when loading a serialized object with joblib.load().

    joblib.load() should therefore never be used to load objects from an untrusted source or otherwise you will introduce a security vulnerability in your program.