docs(python): Add security warning in LazyFrame.deserialize() docstri…

…ng (#15282) Co-authored-by: Ritchie Vink <[email protected]>
pola-rs · Apr 13, 2024 · ded6302 · ded6302
1 parent 0f4b946
commit ded6302
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/py-polars/polars/expr/expr.py b/py-polars/polars/expr/expr.py
@@ -344,6 +344,13 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
             objects that have a `read()` method, such as a file handler (e.g.
             via builtin `open` function) or `BytesIO`).
 
+        Warnings
+        --------
+            This function uses :mod:`pickle` under some circumstances, and as
+            such inherits the security implications. Deserializing can execute
+            arbitrary code so it should only be attempted on trusted data.
+            pickle is only used when the logical plan contains python UDFs.
+
         See Also
         --------
         Expr.meta.serialize

diff --git a/py-polars/polars/lazyframe/frame.py b/py-polars/polars/lazyframe/frame.py
@@ -357,6 +357,14 @@ def deserialize(cls, source: str | Path | IOBase) -> Self:
             objects that have a `read()` method, such as a file handler (e.g.
             via builtin `open` function) or `BytesIO`).
 
+        Warnings
+        --------
+            This function uses :mod:`pickle` under some circumstances, and as
+            such inherits the security implications. Deserializing can execute
+            arbitrary code so it should only be attempted on trusted data.
+            pickle is only used when the logical plan contains python UDFs.
+
+
         See Also
         --------
         LazyFrame.serialize