Implement safe deserialization #128
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Summary: Python's pickle package is susceptible to RCE attacks in deserialization (using `pickle.loads()`). This diff implements a restriced Unpickler that checks input classes for loaded objects / functions, and rejects them if they are not within a "safe set". Also allows users to register new safe types that can be sent as objects. Also updated objects send / recv / broadcast tests to communicate several types of safe standard / custom objects, and tests that invalid objects are rejected. This is a 2nd attempt at D21574976, which I plan to abandon since it does not allow torch tensors to be communicated. Differential Revision: D21745034 fbshipit-source-id: 9e7e38cbd8a2d5059cf04d1a945a0efd05a8bf58
facebook-github-bot
added
CLA Signed
|
This pull request was exported from Phabricator. Differential Revision: D21745034 |
facebook-github-bot
pushed a commit
that referenced
this pull request
Jun 10, 2020
Summary: Pull Request resolved: #128 Pull Request resolved: fairinternal/CrypTen#208 Python's pickle package is susceptible to RCE attacks in deserialization (using `pickle.loads()`). This diff implements a restriced Unpickler that checks input classes for loaded objects / functions, and rejects them if they are not within a "safe set". Also allows users to register new safe types that can be sent as objects. Also updated objects send / recv / broadcast tests to communicate several types of safe standard / custom objects, and tests that invalid objects are rejected. This is a 2nd attempt at D21574976, which I plan to abandon since it does not allow torch tensors to be communicated. Reviewed By: Cictrone Differential Revision: D21745034 fbshipit-source-id: 560c69a14e05c8e126b0e5fbac77bb80210e296b
tanjuntao
pushed a commit
to tanjuntao/CrypTen
that referenced
this pull request
Nov 27, 2023
Summary: Pull Request resolved: fairinternal/CrypTen#128 Fix syntax error Reviewed By: vshobha Differential Revision: D17840642 fbshipit-source-id: 66018c4f8d8014b19e9ef4bcee1f6c956aaf3bec
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
Python's pickle package is susceptible to RCE attacks in deserialization (using
pickle.loads()).This diff implements a restriced Unpickler that checks input classes for loaded objects / functions, and rejects them if they are not within a "safe set".
Also allows users to register new safe types that can be sent as objects.
Also updated objects send / recv / broadcast tests to communicate several types of safe standard / custom objects, and tests that invalid objects are rejected.
This is a 2nd attempt at D21574976, which I plan to abandon since it does not allow torch tensors to be communicated.
Differential Revision: D21745034