semgrep · theinfosecguy · Apr 16, 2024 · Apr 16, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/python/aws-lambda/security/tainted-pickle-deserialization.py b/python/aws-lambda/security/tainted-pickle-deserialization.py
@@ -29,3 +29,27 @@ def lambda_handler(event, context):
   # ok: tainted-pickle-deserialization
   name = 'foobar'
   shelve.open(f"/tmp/path/{name}")
+
+  # ok: tainted-pickle-deserialization
+  pickle.load(pickle.dumps({"key": "value"}))
+
+  # ok: tainted-pickle-deserialization
+  _pickle.loads(_pickle.dumps([1, 2, 3]))
+
+  # ok: tainted-pickle-deserialization
+  cPickle.load(cPickle.dumps(42))
+
+  # ok: tainted-pickle-deserialization
+  dill.loads(dill.dumps(event['safe_data']))
+
+  # ruleid: tainted-pickle-deserialization
+  pickle.load(pickle.dumps(event['exploit_code']))
+
+  # ruleid: tainted-pickle-deserialization
+  _pickle.loads(_pickle.dumps(event['exploit_code']))
+
+  # ruleid: tainted-pickle-deserialization
+  cPickle.load(cPickle.dumps(event['exploit_code']))
+
+  # ruleid: tainted-pickle-deserialization
+  dill.loads(dill.dumps(event['exploit_code']))
diff --git a/python/aws-lambda/security/tainted-pickle-deserialization.yaml b/python/aws-lambda/security/tainted-pickle-deserialization.yaml
@@ -20,6 +20,13 @@ rules:
       - pattern: dill.load($SINK,...)
       - pattern: dill.loads($SINK,...)
       - pattern: shelve.open($SINK,...)
+    - pattern-not: pickle.load(pickle.dumps(...))
+    - pattern-not: pickle.loads(pickle.dumps(...))
+    - pattern-not: _pickle.load(_pickle.dumps(...))
+    - pattern-not: _pickle.loads(_pickle.dumps(...))
+    - pattern-not: cPickle.load(cPickle.dumps(...))
+    - pattern-not: cPickle.loads(cPickle.dumps(...))
+
   message: >-
     Avoid using `pickle`, which is known to lead to code execution vulnerabilities.
     When unpickling, the serialized data could be manipulated to run arbitrary code.