Skip to content

Release KSM Ansible v1.5.0#982

Draft
stas-schaller wants to merge 4 commits intomasterfrom
release/integration/ansible/v1.5.0
Draft

Release KSM Ansible v1.5.0#982
stas-schaller wants to merge 4 commits intomasterfrom
release/integration/ansible/v1.5.0

Conversation

@stas-schaller
Copy link
Copy Markdown
Contributor

Summary

Release branch for Keeper Secrets Manager Ansible v1.5.0.

Security

  • APPSEC-9: Replace unsafe pickle deserialization with JSON in the record cache encrypt/decrypt path. pickle.loads() on attacker-influenced data is a known RCE vector. The fix serializes Record/KeeperFile objects to JSON-safe dicts (base64-encoding bytes fields) and reconstructs full SDK instances via object.__new__() on deserialization.

Replace unsafe pickle.loads() deserialization with JSON-based
serialization in the record cache encrypt/decrypt path. Pickle
deserialization of attacker-influenced data is a known RCE vector.

The fix adds Record/KeeperFile to-dict/from-dict helpers that
base64-encode bytes fields (record_key_bytes, file_data) and
reconstruct full SDK object instances via object.__new__() to
bypass __init__ (which expects encrypted server data).

All 33 Ansible tests pass including 6 cache round-trip tests.
@stas-schaller stas-schaller force-pushed the release/integration/ansible/v1.5.0 branch from 3764ddf to a44f0da Compare April 9, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant