Skip to content

Commit

Permalink
docs(python): Add security warning in LazyFrame.deserialize() and Exp…
Browse files Browse the repository at this point in the history
…r.deserialize() docstring

Add indication that LazyFrame.deserialize() and Expr.deserialize() might
execute arbitrary code coming from the deserialized data.

Fixes #14623
  • Loading branch information
douglas-raillard-arm committed Apr 2, 2024
1 parent 8f616b8 commit 299f73c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
7 changes: 7 additions & 0 deletions py-polars/polars/expr/expr.py
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,13 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
objects that have a `read()` method, such as a file handler (e.g.
via builtin `open` function) or `BytesIO`).
Warnings
--------
This function uses :mod:`pickle` under some circumstances, and as
such inherits the security implications. Deserializing can execute
arbitrary code so it should only be attempted on trusted data.
Currently, pickle will be used when serializing UDF.
See Also
--------
Expr.meta.serialize
Expand Down
8 changes: 8 additions & 0 deletions py-polars/polars/lazyframe/frame.py
Original file line number Diff line number Diff line change
Expand Up @@ -617,6 +617,14 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
objects that have a `read()` method, such as a file handler (e.g.
via builtin `open` function) or `BytesIO`).
Warnings
--------
This function uses :mod:`pickle` under some circumstances, and as
such inherits the security implications. Deserializing can execute
arbitrary code so it should only be attempted on trusted data.
Currently, pickle will be used when serializing UDF.
See Also
--------
LazyFrame.serialize
Expand Down

0 comments on commit 299f73c

Please sign in to comment.