#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  SPDX-License-Identifier: Apache-2.0

# {fact rule=untrusted-deserialization@v1.0 defects=1}
def untrusted_deserialization_noncompliant():
    import jsonpickle
    userobj = input("user")
    # Noncompliant: Untrusted object deserialized without validation.
    obj = jsonpickle.decode(userobj)
    return obj
# {/fact}


# {fact rule=untrusted-deserialization@v1.0 defects=0}
def untrusted_deserialization_compliant():
    import jsonpickle
    userobj = input("user")
    allowed_user_obj = ['example_module1', 'example_module2']
    # Compliant: Untrusted object is validated before deserialization.
    if userobj in allowed_user_obj:
        obj = jsonpickle.decode(userobj)
        return obj
# {/fact}