Expected Findings
- Importer pipes user bytes into `pickle.loads` without validation.
- Equivalent Java endpoint accepts polymorphic Jackson types.
- Errors during decode are echoed verbatim, leaking class names.
Backup Importer
Insecure Deserialization
The import endpoint accepts a base64-encoded pickle blob and unpickles it directly, so any payload can run __reduce__ during decode.
CWE-502
Importer probe
Primary Flows
- Pickle import POST base64 pickle
- Java import POST polymorphic JSON
Signals
Code
obj := pickle.loads(base64.b64decode(req.body))