Skip to content

🔒 Fix insecure deserialization in pickle.loads#10

Open
shivan4030 wants to merge 1 commit intomainfrom
fix-insecure-deserialization-9795322742250885683
Open

🔒 Fix insecure deserialization in pickle.loads#10
shivan4030 wants to merge 1 commit intomainfrom
fix-insecure-deserialization-9795322742250885683

Conversation

@shivan4030
Copy link
Copy Markdown
Owner

@shivan4030 shivan4030 commented Apr 5, 2026

🎯 What:
Replaced direct calls to pickle.loads with a RestrictedUnpickler that strictly controls allowed modules and built-ins.

⚠️ Risk:
The migration and old schema scripts relied on pickle.loads() directly. If the underlying data source or database is compromised and malicious objects are inserted, arbitrary code execution (RCE) can occur when the script deserializes the data.

🛡️ Solution:
Implemented RestrictedUnpickler extending pickle.Unpickler and overriding find_class to allow only essential ADK models (EventActions, etc.) and basic Python built-ins. Used RestrictedUnpickler(io.BytesIO(...)).load() instead of pickle.loads(...) in both src/google/adk/sessions/migration/migrate_from_sqlalchemy_pickle.py and src/google/adk/sessions/schemas/v0.py.

PR created automatically by Jules for task 9795322742250885683 started by @shivan4030

@shivan4030
🔒 Fix insecure deserialization in pickle.loads
cec09dc 
🎯 What:
Replaced direct calls to `pickle.loads` with a `RestrictedUnpickler` that strictly controls allowed modules and built-ins.

⚠️ Risk:
The migration and old schema scripts relied on `pickle.loads()` directly. If the underlying data source or database is compromised and malicious objects are inserted, arbitrary code execution (RCE) can occur when the script deserializes the data.

🛡️ Solution:
Implemented `RestrictedUnpickler` extending `pickle.Unpickler` and overriding `find_class` to allow only essential ADK models (`EventActions`, etc.) and basic Python built-ins. Used `RestrictedUnpickler(io.BytesIO(...)).load()` instead of `pickle.loads(...)` in both `src/google/adk/sessions/migration/migrate_from_sqlalchemy_pickle.py` and `src/google/adk/sessions/schemas/v0.py`.
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules bot commented Apr 5, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shivan4030