Forum Stats

  • 3,750,525 Users
  • 2,250,188 Discussions
  • 7,866,998 Comments

Discussions

Security issues with R serialization (saveRDS)

User_3UBNR
User_3UBNR Member Posts: 1 Employee

We are building a functionality to bring external Models built in R into our application. Apart from PMML, some custom R models/objects can be saved using saveRDS. Which is a serialized form of the object. Much like we have in Python pickle. We plan to be load it remotely using JRI/rpy2.  My question is are there any security concerns with saveRDS? I am comparing this with python pickle which is also a serialized form and someone can potentially store malicious code or a malicious system call into a pickle file? Please have a look at this link. https://www.benfrederickson.com/dont-pickle-your-data/

Do we have similar concerns with saveRDS? The reason I am asking about security issues is that while loading an RDS object(uploaded/shared by someone) we don't want to execute a potential command on our server.