Skip to content

Commit

Permalink
docs(python): Add security warning in LazyFrame.deserialize() docstri…
Browse files Browse the repository at this point in the history
…ng (#15282)

Co-authored-by: Ritchie Vink <ritchie46@gmail.com>
  • Loading branch information
douglas-raillard-arm and ritchie46 authored Apr 13, 2024
1 parent 0f4b946 commit ded6302
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
7 changes: 7 additions & 0 deletions py-polars/polars/expr/expr.py
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,13 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
objects that have a `read()` method, such as a file handler (e.g.
via builtin `open` function) or `BytesIO`).
Warnings
--------
This function uses :mod:`pickle` under some circumstances, and as
such inherits the security implications. Deserializing can execute
arbitrary code so it should only be attempted on trusted data.
pickle is only used when the logical plan contains python UDFs.
See Also
--------
Expr.meta.serialize
Expand Down
8 changes: 8 additions & 0 deletions py-polars/polars/lazyframe/frame.py
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,14 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
objects that have a `read()` method, such as a file handler (e.g.
via builtin `open` function) or `BytesIO`).
Warnings
--------
This function uses :mod:`pickle` under some circumstances, and as
such inherits the security implications. Deserializing can execute
arbitrary code so it should only be attempted on trusted data.
pickle is only used when the logical plan contains python UDFs.
See Also
--------
LazyFrame.serialize
Expand Down

0 comments on commit ded6302

Please sign in to comment.