Insecure Deserialization Detector
Detects insecure deserialization vulnerabilities in Python code using AST analysis.
What It Detects
pickle.loads() / pickle.load() — CWE-502 HIGHmarshal.loads() — CWE-502 HIGHyaml.load() — CWE-502 MEDIUM (use yaml.safe_load instead)jsonpickle.decode() — CWE-502 HIGHdill.loads() — CWE-502 HIGHeval() / exec() — CWE-95 HIGH- Import aliases:
import pickle as pk → pk.loads() still caught
- From-imports:
from pickle import loads → loads() still caught
Requirements
- Python 3.7+ must be installed
- Set
insecureDeserializationDetector.pythonPath in settings if Python is not on PATH
Usage
- Open any
.py file — scanning happens automatically on open and save
- Right-click in editor → Scan for Insecure Deserialization
- Command Palette → Security: Scan Workspace for Insecure Deserialization
Settings
| Setting |
Default |
Description |
pythonPath |
python |
Path to Python interpreter |
scanOnSave |
true |
Scan on file save |
scanOnOpen |
true |
Scan on file open |
| |
