Comments (4)
@martinjm97 I think a warning in the readme would suffice. Just something eye catching since the note about pickling kind of easy to miss and requires the user to already know the security risk about unpickling data. Something like this at the top of the readme section for load:
❗
⚠️
Never callargs.load('args.json')
on untrusted files. Argument loading uses thepickle
module to decode complex types automatically. Unpickling of untrusted data is a security risk and can lead to arbitrary code execution. See the warning in the pickle docs
❗⚠️
Feel free to merge #82 if that sounds fine.
from typed-argument-parser.
Alternatively, the load
method could refuse to unpickle data by default unless a keyword argument data_is_trusted
is set to true. This would make the warning a lot easier to notice. But it would be backwards incompatible, so perhaps that's overkill.
from typed-argument-parser.
Hi @Cnoor0171,
Thank you for identifying this security risk. Would you be satisfied by a change to the readme? If so, we're happy to look over a PR and we'll try to get to it soon.
Thanks again,
Kyle and Jesse
from typed-argument-parser.
Thank you for keeping a watchful eye out wrt security. Much appreciated!
--Jesse
from typed-argument-parser.
Related Issues (20)
- typing-extensions 4.6.0 break literal arguments HOT 1
- [Feature request] Easy transition from existing code using argparse HOT 1
- How to use argparse.FileType? HOT 1
- What is the right way to call `set_defaults` HOT 4
- Add useful type hints to `Tap.add_subparsers` HOT 1
- Add useful type hints to `Tap.add_subparser` HOT 5
- Refactor `tapify` to enable subparsers HOT 1
- Type safe way to access subparser arguments? HOT 2
- Fix `tapify` to correctly handle **kwargs HOT 1
- [Suggestion] Allow to reference previous arguments as default values HOT 1
- Allow for multi-line documentation of the function HOT 1
- Tuple parsing with literals HOT 1
- [help] Adding `version` arg to print version but bypassing required args HOT 3
- tapify help string order is random HOT 1
- More convenient syntax for subparsers
- ImportError: cannot import name 'Tap' from 'tap' HOT 3
- What's the best way to create a parser from a Pydantic model? HOT 3
- Human readable JSON for saved Python object HOT 1
- Add support for using the `Annotated` type to provide comments for the help string HOT 1
- Tapify, docstrings and typing.NamedTuples
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from typed-argument-parser.