Draft
Conversation
Replace unsafe pickle.loads() deserialization with JSON-based serialization in the record cache encrypt/decrypt path. Pickle deserialization of attacker-influenced data is a known RCE vector. The fix adds Record/KeeperFile to-dict/from-dict helpers that base64-encode bytes fields (record_key_bytes, file_data) and reconstruct full SDK object instances via object.__new__() to bypass __init__ (which expects encrypted server data). All 33 Ansible tests pass including 6 cache round-trip tests.
stas-schaller
force-pushed
the
release/integration/ansible/v1.5.0
branch
from
3764ddf to
a44f0da
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release branch for Keeper Secrets Manager Ansible v1.5.0.
Security
pickledeserialization with JSON in the record cache encrypt/decrypt path.pickle.loads()on attacker-influenced data is a known RCE vector. The fix serializesRecord/KeeperFileobjects to JSON-safe dicts (base64-encoding bytes fields) and reconstructs full SDK instances viaobject.__new__()on deserialization.