== How to fix it in Python Standard Library

=== Code examples

The following code is vulnerable to deserialization attacks because it
deserializes HTTP data without validating it first.

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from flask import Flask, request
from base64 import b64decode
import pickle

app = Flask(__name__)

@app.route("/example")
def example():
    objstr = b64decode(request.args.get("object"))
    obj = pickle.loads(objstr)
    return str(obj.status == "OK")
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from flask import Flask, request
import json

app = Flask(__name__)

@app.route("/example")
def example():
    obj = json.loads(request.args.get("object"))
    return str(obj["status"] == "OK")
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/safer-serialization.adoc[]

include::../../common/fix/integrity-check.adoc[]