Skip to content

operator_utils.py contains unsafe deserialization code #1119

New issue
New issue
Open
Bug
Open
operator_utils.py contains unsafe deserialization code#1119
Bug
Assignees
mhucka
Labels
area/healthInvolves code and/or project healtharea/pythonInvolves Python codeno QC knowledge neededDoes not require knowledge of quantum computingpriority/p2Medium priority
@mhucka

Description

@mhucka
mhucka
opened on Aug 28, 2025

Describe the issue

Security code scanning alert 567 flagged a case of deserializing a user-provided value without checking boundaries or doing other safety checks. It happens on line 283, where a load() function is called after reading a file:

            raise TypeError('Operator of invalid type.')
    else:
        with open(file_path, 'rb') as f:
            data = marshal.load(f)

We should fix this to be safer.

What version of this software are you using?

0.23.0.dev0

How can the issue be reproduced?

No response

Metadata

Metadata

Assignees

Labels

area/healthInvolves code and/or project healtharea/pythonInvolves Python codeno QC knowledge neededDoes not require knowledge of quantum computingpriority/p2Medium priority

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions