docs(python): Add security warning in LazyFrame.deserialize() and Exp…

…r.deserialize() docstring Add indication that LazyFrame.deserialize() and Expr.deserialize() might execute arbitrary code coming from the deserialized data. Fixes #14623
pola-rs · Apr 2, 2024 · 299f73c · 299f73c
1 parent 8f616b8
commit 299f73c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/py-polars/polars/expr/expr.py b/py-polars/polars/expr/expr.py
@@ -344,6 +344,13 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
             objects that have a `read()` method, such as a file handler (e.g.
             via builtin `open` function) or `BytesIO`).
 
+        Warnings
+        --------
+            This function uses :mod:`pickle` under some circumstances, and as
+            such inherits the security implications. Deserializing can execute
+            arbitrary code so it should only be attempted on trusted data.
+            Currently, pickle will be used when serializing UDF.
+
         See Also
         --------
         Expr.meta.serialize

diff --git a/py-polars/polars/lazyframe/frame.py b/py-polars/polars/lazyframe/frame.py
@@ -617,6 +617,14 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
             objects that have a `read()` method, such as a file handler (e.g.
             via builtin `open` function) or `BytesIO`).
 
+        Warnings
+        --------
+            This function uses :mod:`pickle` under some circumstances, and as
+            such inherits the security implications. Deserializing can execute
+            arbitrary code so it should only be attempted on trusted data.
+            Currently, pickle will be used when serializing UDF.
+
+
         See Also
         --------
         LazyFrame.serialize