Forum Stats

  • 3,837,690 Users
  • 2,262,286 Discussions


Security issues with R serialization (saveRDS)

User_3UBNR Member Posts: 1 Employee

We are building a functionality to bring external Models built in R into our application. Apart from PMML, some custom R models/objects can be saved using saveRDS. Which is a serialized form of the object. Much like we have in Python pickle. We plan to be load it remotely using JRI/rpy2.  My question is are there any security concerns with saveRDS? I am comparing this with python pickle which is also a serialized form and someone can potentially store malicious code or a malicious system call into a pickle file? Please have a look at this link.

Do we have similar concerns with saveRDS? The reason I am asking about security issues is that while loading an RDS object(uploaded/shared by someone) we don't want to execute a potential command on our server.