Skip to content

Address recent security reports #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thomas-chauchefoin-tob merged 11 commits into from
Jan 9, 2026
+334 −37
Merged

Address recent security reports #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
cd5aa97
Add runpy to unsafe modules
thomas-chauchefoin-tob Jan 7, 2026
e011d29
Add cProfile to unsafe imports
thomas-chauchefoin-tob Jan 7, 2026
d1e2e38
Add pydoc and ctypes to unsafe imports
thomas-chauchefoin-tob Jan 7, 2026
4ab3685
Add missing reference to GHSA-q5qq-mvfm-j35x in test_missing_runpy()
thomas-chauchefoin-tob Jan 7, 2026
7dff6ba
Check the root module name during unsafe import detection
thomas-chauchefoin-tob Jan 8, 2026
2eb9658
Add importlib, code and multiprocessing to unsafe modules
thomas-chauchefoin-tob Jan 8, 2026
3eb6e38
Simplify test case for GHSA-5hvc-6wx8-mvv4 so it doesn't import Excep…
thomas-chauchefoin-tob Jan 8, 2026
bc2a163
UnsafeImportsML should return an AnalysisResult
thomas-chauchefoin-tob Jan 8, 2026
bed62ad
Emit AST nodes for builtins imports
thomas-chauchefoin-tob Jan 9, 2026
595d7bb
Check all components of package imports against the blocklist
thomas-chauchefoin-tob Jan 9, 2026
c484270
Pass failing linter check
thomas-chauchefoin-tob Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion fickling/analysis.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,12 @@ def analyze(self, context: AnalysisContext) -> Iterator[AnalysisResult]:
# NOTE(boyan): Special case with eval?
# Copy pasted from pickled.unsafe_imports() original implementation
elif "eval" in (n.name for n in node.names):
yield node
yield AnalysisResult(
Severity.LIKELY_OVERTLY_MALICIOUS,
f"`{shortened}` imports `eval` which can execute arbitrary code",
"UnsafeImportsML",
trigger=shortened,
)


class BadCalls(Analysis):
Expand Down
67 changes: 33 additions & 34 deletions fickling/fickle.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,30 @@
OPCODES_BY_NAME: dict[str, type[Opcode]] = {}
OPCODE_INFO_BY_NAME: dict[str, OpcodeInfo] = {opcode.name: opcode for opcode in opcodes}

UNSAFE_IMPORTS: frozenset[str] = frozenset(
[
"__builtin__",
"__builtins__",
"builtins",
"os",
"posix",
"nt",
"subprocess",
"sys",
"socket",
"pty",
"marshal",
"types",
"runpy",
"cProfile",
"ctypes",
"pydoc",
"importlib",
"code",
"multiprocessing",
]
)


def is_std_module(module_name: str) -> bool:
return in_stdlib(module_name) or module_name in BUILTIN_MODULE_NAMES
Expand Down Expand Up @@ -864,20 +888,8 @@ def is_likely_safe(self):

def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
for node in self.properties.imports:
if node.module in (
"__builtin__",
"__builtins__",
"builtins",
"os",
"posix",
"nt",
"subprocess",
"sys",
"builtins",
"socket",
"pty",
"marshal",
"types",
if node.module and any(
component in UNSAFE_IMPORTS for component in node.module.split(".")
):
yield node
elif "eval" in (n.name for n in node.names):
Expand Down Expand Up @@ -1103,12 +1115,8 @@ def attr(self) -> str:

def run(self, interpreter: Interpreter):
module, attr = self.module, self.attr
if module in ("__builtin__", "__builtins__", "builtins"):
# no need to emit an import for builtins!
pass
else:
alias = ast.alias(attr)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
alias = ast.alias(attr)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
interpreter.stack.append(ast.Name(attr, ast.Load()))

def encode(self) -> bytes:
Expand Down Expand Up @@ -1153,19 +1161,14 @@ def run(self, interpreter: Interpreter):
f"Module: {type(module).__name__}, Attr: {type(attr).__name__}"
)

if not module.isidentifier() or not attr.isidentifier():
if not all(m.isidentifier() for m in module.split(".")) or not attr.isidentifier():
raise ValueError(
f"Extracted identifiers are not valid Python identifiers. "
f"Module: {module!r}, Attr: {attr!r}"
)

# Continue with normal processing
if module in ("__builtin__", "__builtins__", "builtins"):
# no need to emit an import for builtins!
pass
else:
alias = ast.alias(attr)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
alias = ast.alias(attr)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
interpreter.stack.append(ast.Name(attr, ast.Load()))


Expand All @@ -1187,12 +1190,8 @@ def cls(self) -> str:

def run(self, interpreter: Interpreter, stack_slice: List[ast.expr]):
module, classname = self.module, self.cls
if module in ("__builtin__", "__builtins__", "builtins"):
# no need to emit an import for builtins!
pass
else:
alias = ast.alias(classname)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
alias = ast.alias(classname)
interpreter.module_body.append(ast.ImportFrom(module=module, names=[alias], level=0))
args = ast.Tuple(tuple(stack_slice))
call = ast.Call(ast.Name(classname, ast.Load()), list(args.elts), [])
var_name = interpreter.new_variable(call)
Expand Down
Loading
Loading