File tree Expand file tree Collapse file tree 3 files changed +1
-19
lines changed
python/ql/lib/semmle/python/frameworks Expand file tree Collapse file tree 3 files changed +1
-19
lines changed Original file line number Diff line number Diff line change @@ -17,15 +17,6 @@ private module Joblib {
1717 * A call to `joblib.load`
1818 * See https://pypi.org/project/joblib/
1919 *
20- * Claiming there is decoding of the input to `joblib.load` is a bit questionable, since
21- * it's not the filename, but the contents of the file that is decoded.
22- *
23- * However, we definitely want to be able to alert if a user is able to control what
24- * file is used, since that can lead to code execution (even if that file is free of
25- * path injection).
26- *
27- * So right now the best way we have of modeling this seems to be to treat the filename
28- * argument as being deserialized...
2920 */
3021 private class PandasReadPickleCall extends Decoding:: Range , DataFlow:: CallCfgNode {
3122 PandasReadPickleCall ( ) { this = API:: moduleImport ( "joblib" ) .getMember ( "load" ) .getACall ( ) }
Original file line number Diff line number Diff line change @@ -18,15 +18,6 @@ private module Numpy {
1818 * A call to `numpy.load`
1919 * See https://pypi.org/project/numpy/
2020 *
21- * Claiming there is decoding of the input to `numpy.load` is a bit questionable, since
22- * it's not the filename, but the contents of the file that is decoded.
23- *
24- * However, we definitely want to be able to alert if a user is able to control what
25- * file is used, since that can lead to code execution (even if that file is free of
26- * path injection).
27- *
28- * So right now the best way we have of modeling this seems to be to treat the filename
29- * argument as being deserialized...
3021 */
3122 private class PandasReadPickleCall extends Decoding:: Range , DataFlow:: CallCfgNode {
3223 PandasReadPickleCall ( ) {
Original file line number Diff line number Diff line change @@ -17,7 +17,7 @@ private module Pandas {
1717 /**
1818 * A call to `pandas.read_pickle`
1919 * See https://pypi.org/project/pandas/
20- * https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html)
20+ * See https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html
2121 */
2222 private class PandasReadPickleCall extends Decoding:: Range , DataFlow:: CallCfgNode {
2323 PandasReadPickleCall ( ) {
You can’t perform that action at this time.
0 commit comments