Short Description
Currently, SCTK (and especially licensedcode/licensedcode-index) uses a cache file which is distributed on PyPI. This cache is being generated using the pickle module, which is usually discouraged for untrusted data, as it allows for executing arbitrary code (compared to "pure" data container formats like JSON etc.)
Possible Labels
Select Category
Describe the Update
Use a cache container format which does not allow executing arbitrary code.
How This Feature will help you/your organization
Reduce the risk of processing possibly untrusted data, regardless of the fact that using SCTK already requires a certain level of trust for SCTK itself.
Possible Solution/Implementation Details
Example/Links if Any
Can you help with this Feature
There is more design needed and I do not have enough overview of the corresponding functionality to properly help with this.
Short Description
Currently, SCTK (and especially
licensedcode/licensedcode-index) uses a cache file which is distributed on PyPI. This cache is being generated using thepicklemodule, which is usually discouraged for untrusted data, as it allows for executing arbitrary code (compared to "pure" data container formats like JSON etc.)Possible Labels
Select Category
Describe the Update
Use a cache container format which does not allow executing arbitrary code.
How This Feature will help you/your organization
Reduce the risk of processing possibly untrusted data, regardless of the fact that using SCTK already requires a certain level of trust for SCTK itself.
Possible Solution/Implementation Details
Example/Links if Any
Can you help with this Feature
There is more design needed and I do not have enough overview of the corresponding functionality to properly help with this.