MO
Mojo Security
Mojo security practices for safe memory access, pointer handling, and Python interop boundaries
Details
Language / Topic
MojoCategory
Security
Rules
balanced
- Avoid `UnsafePointer` unless absolutely necessary; prefer safe collection types (`DynamicVector`, `Tensor`) which perform bounds checking.
- Never dereference a `UnsafePointer` obtained from Python interop without validating the pointer is non-null and the pointed-to type is correct.
- Validate all external inputs (file paths, network data, user strings) before passing them into `fn` functions that assume valid, typed data.
- Treat Python interop boundaries as trust boundaries — any value received via `Python.import_module` or `PythonObject` must be type-checked before casting to a Mojo type.
- Zero sensitive data (keys, passwords) stored in `DynamicVector` or raw buffers before dropping the variable — the compiler may not guarantee zeroing on deallocation.
- Limit the scope of `UnsafePointer` usage to the smallest possible function; wrap unsafe blocks in a safe public API that enforces invariants.
- Prefer `borrowed` over `owned` or raw pointer arguments for read-only data to prevent accidental mutation of caller-owned memory.