scikit-spectra pickle should not be used for non-temporary files, and even with temporary files should be used with extreme caution

pickle should not be used for non-temporary files, and even with temporary files should be used with extreme caution

Open KOLANICH opened this issue 5 years ago • 0 comments

Pickle is a security issue, it is code execution. So pickle should never be used to create a file format for storage of data for an application.

But https://github.com/hugadams/scikit-spectra/blob/55eabf747d2ee34f2ff8082e76ee509c8a144752/skspec/pandas_utils/dataframeserial.py#L69 https://github.com/hugadams/scikit-spectra/blob/55eabf747d2ee34f2ff8082e76ee509c8a144752/skspec/pandas_utils/metadframe.py#L61 https://github.com/hugadams/scikit-spectra/blob/55eabf747d2ee34f2ff8082e76ee509c8a144752/skspec/data/init.py#L36

Also some obsolete code is present in the repo: https://github.com/hugadams/scikit-spectra/blob/55eabf747d2ee34f2ff8082e76ee509c8a144752/examples/Notebooks/_PCAOLD_LOOKATME.ipynb#L15

Apr 20 '19 08:04 KOLANICH

scikit-spectra scikit-spectra copied to clipboard

pickle should not be used for non-temporary files, and even with temporary files should be used with extreme caution

scikit-spectra
scikit-spectra copied to clipboard