fix: secure pickle deserialization in IPFS storage service (issue #22)

- Introduced RestrictedUnpickler in secure_pickle.py to prevent arbitrary code execution - Updated IPFSStorageService.retrieve_memory and decompress_memory to use safe_loads() - Maintains pickle dumps for serialization (safe) - Reduces risk of remote code execution via malicious pickled data
2026-03-15 21:22:51 +00:00
parent 6935c2d13d
commit 1730f3e416
2 changed files with 37 additions and 3 deletions
--- a/apps/coordinator-api/src/app/services/ipfs_storage_service.py
+++ b/apps/coordinator-api/src/app/services/ipfs_storage_service.py
@@ -12,6 +12,7 @@ import json
 import hashlib
 import gzip
 import pickle
 from .secure_pickle import safe_loads
 from dataclasses import dataclass, asdict
 try:
@@ -190,8 +191,8 @@ class IPFSStorageService:
            else:
                decompressed_data = retrieved_data
-            # Deserialize
+            # Deserialize (using safe unpickler)
-            memory_data = pickle.loads(decompressed_data)
+            memory_data = safe_loads(decompressed_data)
            logger.info(f"Retrieved memory for agent {metadata.agent_id}: CID {cid}")
            return memory_data, metadata
@@ -353,7 +354,7 @@ class MemoryCompressionService:
    def decompress_memory(compressed_data: bytes) -> Any:
        """Decompress memory data"""
        decompressed = gzip.decompress(compressed_data)
-        return pickle.loads(decompressed)
+        return safe_loads(decompressed)
    @staticmethod
    def calculate_similarity(data1: Any, data2: Any) -> float:
--- a/apps/coordinator-api/src/app/services/secure_pickle.py
+++ b/apps/coordinator-api/src/app/services/secure_pickle.py
@@ -0,0 +1,33 @@
 """
 Secure pickle deserialization utilities to prevent arbitrary code execution.
 """
 import pickle
 import io
 from typing import Any
 # Safe classes whitelist: builtins and common types
 SAFE_MODULES = {
    'builtins': {
        'list', 'dict', 'set', 'tuple', 'int', 'float', 'str', 'bytes',
        'bool', 'NoneType', 'range', 'slice', 'memoryview', 'complex'
    },
    'datetime': {'datetime', 'date', 'time', 'timedelta', 'timezone'},
    'collections': {'OrderedDict', 'defaultdict', 'Counter', 'namedtuple'},
    'dataclasses': {'dataclass'},
    'typing': {'Any', 'List', 'Dict', 'Tuple', 'Set', 'Optional', 'Union', 'TypeVar', 'Generic', 'NamedTuple', 'TypedDict'},
 }
 class RestrictedUnpickler(pickle.Unpickler):
    """
    Unpickler that restricts which classes can be instantiated.
    Only allows classes from SAFE_MODULES whitelist.
    """
    def find_class(self, module: str, name: str) -> Any:
        if module in SAFE_MODULES and name in SAFE_MODULES[module]:
            return super().find_class(module, name)
        raise pickle.UnpicklingError(f"Class {module}.{name} is not allowed for unpickling (security risk).")
 def safe_loads(data: bytes) -> Any:
    """Safely deserialize a pickle byte stream."""
    return RestrictedUnpickler(io.BytesIO(data)).load()