Blacklist pandas read_pickle and add functional test for it (#710)

* Blacklist pandas read_pickle and add functional test for it

* Update test-requirements.txt

* Update test_functional.py

* Update test_functional.py

Co-authored-by: Jasper Sival <jasper.sival@rabobank.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

bandit/blacklists/calls.py

@@ -35,6 +35,7 @@
 |      |                     | - jsonpickle.decode                |           |
 |      |                     | - jsonpickle.unpickler.decode      |           |
 |      |                     | - jsonpickle.unpickler.Unpickler   |           |
+|      |                     | - pandas.read_pickle               |           |
 +------+---------------------+------------------------------------+-----------+
 
 B302: marshal
@@ -358,6 +359,7 @@ def gen_blacklist():
                 "jsonpickle.decode",
                 "jsonpickle.unpickler.decode",
                 "jsonpickle.unpickler.Unpickler",
+                "pandas.read_pickle",
             ],
             "Pickle and modules that wrap it can be unsafe when used to "
             "deserialize untrusted data, possible security issue.",

examples/pandas_read_pickle.py

@@ -0,0 +1,12 @@
+import pickle
+import pandas as pd
+
+
+df = pd.DataFrame(
+    {
+        "col_A": [1, 2]
+    }
+)
+pick = pickle.dumps(df)
+
+print(pd.read_pickle(pick))

tests/functional/test_functional.py

@@ -377,6 +377,14 @@ def test_jsonpickle(self):
         }
         self.check_example("jsonpickle.py", expect)
 
+    def test_pandas_read_pickle(self):
+        """Test for the `pandas.read_pickle` module."""
+        expect = {
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 1, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2},
+        }
+        self.check_example("pandas_read_pickle.py", expect)
+
     def test_popen_wrappers(self):
         """Test the `popen2` and `commands` modules."""
         expect = {