Unsafe Pickle Detection

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-502

DeserializationPicklePython

Scenario

Your Python service accepts serialized user preferences from a cookie or API body.

The function blindly deserialises whatever it receives. An attacker crafts a pickle payload (identifiable by the `\x80` magic byte prefix or a `pickle:` tag) that executes arbitrary code when loaded.

Python's pickle module is a remote code execution primitive. Any user-controlled input reaching `pickle.loads` gives attackers full shell access on the server.

Your Tasks

Detect potentially unsafe pickle data: if `serialized` starts with `\x80` or with the literal string `pickle:`, raise `ValueError('Unsafe deserialisation')`.
For all other inputs, parse them as JSON and return the resulting dict.
Do not call `pickle.loads` anywhere in your solution.

Examples

Example 1 — Exploit — pickle magic byte prefix

loadUserPrefs('\x80pickle_data')
# raises: ValueError('Unsafe deserialisation')

Example 2 — Safe — valid JSON preferences

loadUserPrefs('{"name":"alice","theme":"dark"}')
# returns: {'name': 'alice', 'theme': 'dark'}

Constraints

›Raise exactly `ValueError('Unsafe deserialisation')` (note the British spelling).
›The `\x80` check must test the raw character at position 0, not a byte prefix.
›Valid JSON inputs must be parsed and returned as a dict.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/502.html https://docs.python.org/3/library/pickle.html#pickle-restrict

solution.py

Ln 1, Col 1│UTF-8│Python

Sandbox ready

0/0/0not run