Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LazyFrame.deserialize() should document the security implications #14623

Closed
douglas-raillard-arm opened this issue Feb 21, 2024 · 3 comments · Fixed by #15282
Closed

LazyFrame.deserialize() should document the security implications #14623

douglas-raillard-arm opened this issue Feb 21, 2024 · 3 comments · Fixed by #15282
Labels
accepted Ready for implementation documentation Improvements or additions to documentation

Comments

@douglas-raillard-arm
Copy link
Contributor

douglas-raillard-arm commented Feb 21, 2024
edited
Loading

Description

Since LazyFrame.deserialize() can end up calling into pickle/cloudpickle, it makes it unsafe to use on non-trusted input, so it would be good if it stated it similarly to the Python doc:

Link

https://docs.python.org/3/library/pickle.html
https://docs.pola.rs/py-polars/html/reference/lazyframe/api/polars.LazyFrame.deserialize.html
@douglas-raillard-arm douglas-raillard-arm added the documentation Improvements or additions to documentation label Feb 21, 2024
@ritchie46
Copy link
Member

Can you make a PR?

@stinodego stinodego added the accepted Ready for implementation label Feb 24, 2024
@github-project-automation github-project-automation bot moved this to Ready in Backlog Feb 24, 2024
@douglas-raillard-arm
Copy link
Contributor Author

I'm following my employer's legal process to be able to contribute to polars, after that I should be able to make a PR. I'm currently discovering the API and exploring how I can use it best for our use case, hence all the issues I opened recently :)

douglas-raillard-arm added a commit to douglas-raillard-arm/polars that referenced this issue Mar 25, 2024
@douglas-raillard-arm
docs(python): Add security warning in LazyFrame.deserialize() docstring
88b1a58 
Add indication that LazyFrame.deserialize() might execute arbitrary code
coming from the deserialized data.

Fixes pola-rs#14623
Merged
@douglas-raillard-arm
Copy link
Contributor Author

Here we go: #15282

douglas-raillard-arm added a commit to douglas-raillard-arm/polars that referenced this issue Apr 2, 2024
@douglas-raillard-arm
docs(python): Add security warning in LazyFrame.deserialize() and Exp…
299f73c 
…r.deserialize() docstring

Add indication that LazyFrame.deserialize() and Expr.deserialize() might
execute arbitrary code coming from the deserialized data.

Fixes pola-rs#14623
@github-project-automation github-project-automation bot moved this from Ready to Done in Backlog Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Ready for implementation documentation Improvements or additions to documentation
Projects
Backlog
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(python): Add security warning in LazyFrame.deserialize() docstring douglas-raillard-arm/polars
3 participants
@ritchie46 @stinodego @douglas-raillard-arm