Consider using QByteArray instead of pickle per recommendation #11
Description
The use of pickle.loads() here for data with the MIME type "application/x-DataItem" (originating from VarListWidget) presents a potential security and robustness concern. While the data is internally generated, pickle can execute arbitrary code if the pickled data is crafted maliciously. If the source data files (.bin, .txt, .csv, .parquet) could be manipulated to inject malicious pickle payloads through the DataItem objects, this could be an attack vector.
Given that for the CustomPlotItem drag-and-drop, you've used mime_data.setText() and mime_data.setData() with QByteArray (which is generally safer), was there a specific reason pickle was chosen for DataItem?
Consider if a safer serialization method could be used for DataItem objects, such as:
- Serializing to JSON (if
DataItemattributes are simple enough). - Transferring necessary attributes individually via
QMimeData::setData()with distinct keys if the object isn't too complex.
This would align the safety profile of both drag-and-drop paths.
Originally posted by @gemini-code-assist[bot] in #2 (comment)