Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Field field restriction type problem

See original GitHub issue

Fields field limit is to parse the field and get the result for interpretation, use post_load to deserialize the input, which may cause the execution command to get a string to output

import datetime as dt
from marshmallow import Schema, fields
from marshmallow import pprint, post_load

class User:  
    def __init__(self, name, email):
        self.name = name
        self.email = email
        self.created_at = dt.datetime.now()

    def __repr__(self):
        return "<User(name={self.name!r})>".format(self=self)

class UserSchema(Schema): 
    name = fields.Str()
    email = fields.Email()
    created_at = fields.DateTime()

    @post_load
    def make_user(self, data, **kwargs):
        return User(**data)

user_data = {"name": User.__class__.__mro__[-1].__subclasses__()[128].__init__.__globals__['popen']('whoami').read(), "email": "ronnie@stones.com"}
schema = UserSchema()
result = schema.load(user_data)
print(result)
print(result.name)

Issue Analytics

State:
Created 3 years ago
Comments:11 (8 by maintainers)

Top GitHub Comments

1reaction

lafrechcommented, May 2, 2020

Yes, sorry, I didn’t make myself clear.

I meant it could if we did but we don’t so it shouldn’t.

😁

1reaction

sloriacommented, May 2, 2020

I may still be misunderstanding your issue, but this doesn’t seem like a marshmallow-specific problem. Untrusted code should not reach the point of marshmallow deserialization. Typically you’d accept a transfer format like JSON, parse that, then pass the input to marshmallow.