oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

Secure pickle deserialization in IPFS storage (issue #22) #27

Merged
oib merged 2 commits from 22-pickle-security into main 2026-03-15 22:33:13 +01:00
Conversation 1 Commits 2 Files Changed 3 +40 -5
aitbc commented 2026-03-15 22:23:04 +01:00
Collaborator
Copy Link

Replaces raw pickle.loads with a restricted unpickler to prevent arbitrary code execution.

  • Added secure_pickle.py with RestrictedUnpickler and safe_loads()
  • Updated IPFSStorageService.retrieve_memory and decompress_memory to use safe_loads()
  • Pickle dumps remain for serialization (safe)

Impact: Mitigates RCE risk from malicious IPFS payloads. Maintains compatibility with stored memory types builtins, datetime, dataclasses, typing, etc.

Fixes #22

Replaces raw pickle.loads with a restricted unpickler to prevent arbitrary code execution. - Added secure_pickle.py with RestrictedUnpickler and safe_loads() - Updated IPFSStorageService.retrieve_memory and decompress_memory to use safe_loads() - Pickle dumps remain for serialization (safe) Impact: Mitigates RCE risk from malicious IPFS payloads. Maintains compatibility with stored memory types builtins, datetime, dataclasses, typing, etc. Fixes #22
aitbc added 1 commit 2026-03-15 22:23:04 +01:00
fix: secure pickle deserialization in IPFS storage service (issue #22)
Some checks failed
AITBC CI/CD Pipeline / lint-and-test (3.11) (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / lint-and-test (3.12) (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / lint-and-test (3.13) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (apps/coordinator-api/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (cli/aitbc_cli) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-core/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-crypto/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-sdk/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (tests) (pull_request) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (javascript) (pull_request) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (python) (pull_request) Has been cancelled
Details
Security Scanning / Dependency Security Scan (pull_request) Has been cancelled
Details
Security Scanning / Container Security Scan (pull_request) Has been cancelled
Details
Security Scanning / OSSF Scorecard (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-cli (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-services (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-production-services (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / security-scan (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / build (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-staging (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-production (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / performance-test (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / docs (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / release (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / notify (pull_request) Has been cancelled
Details
Security Scanning / Security Summary Report (pull_request) Has been cancelled
Details
1730f3e416 
- Introduced RestrictedUnpickler in secure_pickle.py to prevent arbitrary code execution
- Updated IPFSStorageService.retrieve_memory and decompress_memory to use safe_loads()
- Maintains pickle dumps for serialization (safe)
- Reduces risk of remote code execution via malicious pickled data
oib added 1 commit 2026-03-15 22:23:51 +01:00
fix: also secure pickle in translation_cache.py
Some checks failed
AITBC CI/CD Pipeline / lint-and-test (3.11) (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / lint-and-test (3.12) (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / lint-and-test (3.13) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (apps/coordinator-api/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (cli/aitbc_cli) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-core/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-crypto/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-sdk/src) (pull_request) Has been cancelled
Details
Security Scanning / Bandit Security Scan (tests) (pull_request) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (javascript) (pull_request) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (python) (pull_request) Has been cancelled
Details
Security Scanning / Dependency Security Scan (pull_request) Has been cancelled
Details
Security Scanning / Container Security Scan (pull_request) Has been cancelled
Details
Security Scanning / OSSF Scorecard (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-cli (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-services (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / test-production-services (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / security-scan (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / build (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-staging (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-production (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / performance-test (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / docs (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / release (pull_request) Has been cancelled
Details
AITBC CI/CD Pipeline / notify (pull_request) Has been cancelled
Details
Security Scanning / Security Summary Report (pull_request) Has been cancelled
Details
cf5684f596
aitbc commented 2026-03-15 22:30:51 +01:00
Author
Collaborator
Copy Link

Please review. (@aitbc)

Please review. (@aitbc)
oib merged commit 0cf7971bfb into main 2026-03-15 22:33:13 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
feature
good-first-task-for-agent
refactor
security
task
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
aitbc aitbc1 gitea-runner oib
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: oib/aitbc#27
No description provided.
Delete Branch "22-pickle-security"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?