Merge commit from fork

adding security tests and a patch for the class pollution and remote code execution

Author: seperman

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 8.6.0
+current_version = 8.6.1
 commit = True
 tag = True
 tag_name = {new_version}

AUTHORS.md

@@ -75,3 +75,4 @@ Authors in order of the timeline of their contributions:
 - [dtorres-sf](https://github.com/dtorres-sf) for the fix for moving nested tables when using iterable_compare_func.
 - [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit when hashing numpy.datetime64
 - [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools use to pyproject.toml
+- [Diogo Correia](https://github.com/diogotcorreia) for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.

CHANGELOG.md

@@ -1,5 +1,9 @@
 # DeepDiff Change log
 
+- v8-6-1
+    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
+
 - v8-6-0
     - Added Colored View thanks to @mauvilsa 
     - Added support for applying deltas to NamedTuple thanks to @paulsc 

CITATION.cff

@@ -5,6 +5,6 @@ authors:
   given-names: "Sep"
   orcid: "https://orcid.org/0009-0009-5828-4345"
 title: "DeepDiff"
-version: 8.6.0
+version: 8.6.1
 date-released: 2024
 url: "https://github.com/seperman/deepdiff"

README.md

@@ -1,4 +1,4 @@
-# DeepDiff v 8.6.0
+# DeepDiff v 8.6.1
 
 ![Downloads](https://img.shields.io/pypi/dm/deepdiff.svg?style=flat)
 ![Python Versions](https://img.shields.io/pypi/pyversions/deepdiff.svg?style=flat)
@@ -17,12 +17,15 @@
 
 Tested on Python 3.9+ and PyPy3.
 
-- **[Documentation](https://zepworks.com/deepdiff/8.6.0/)**
+- **[Documentation](https://zepworks.com/deepdiff/8.6.1/)**
 
 ## What is new?
 
 Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
 
+DeepDiff 8-6-1
+- Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
 DeepDiff 8-6-0
 
 - Added Colored View thanks to @mauvilsa 

deepdiff/__init__.py

@@ -1,6 +1,6 @@
 """This module offers the DeepDiff, DeepSearch, grep, Delta and DeepHash classes."""
 # flake8: noqa
-__version__ = '8.6.0'
+__version__ = '8.6.1'
 import logging
 
 if __name__ == '__main__':

deepdiff/delta.py

@@ -17,7 +17,7 @@
 )
 from deepdiff.path import (
     _path_to_elements, _get_nested_obj, _get_nested_obj_and_force,
-    GET, GETATTR, parse_path, stringify_path,
+    GET, GETATTR, check_elem, parse_path, stringify_path,
 )
 from deepdiff.anyset import AnySet
 from deepdiff.summarize import summarize
@@ -237,6 +237,11 @@ def _get_elem_and_compare_to_old_value(
         forced_old_value=None,
         next_element=None,
     ):
+        try:
+            check_elem(elem)
+        except ValueError as error:
+            self._raise_or_log(UNABLE_TO_GET_ITEM_MSG.format(path_for_err_reporting, error))
+            return not_found
         # if forced_old_value is not None:
         try:
             if action == GET:
@@ -536,6 +541,7 @@ def _get_elements_and_details(self, path):
                 obj = self
                 # obj = self.get_nested_obj(obj=self, elements=elements[:-1])
             elem, action = elements[-1]  # type: ignore
+            check_elem(elem)
         except Exception as e:
             self._raise_or_log(UNABLE_TO_GET_ITEM_MSG.format(path, e))
             return None

deepdiff/path.py

@@ -117,6 +117,7 @@ def _path_to_elements(path, root_element=DEFAULT_FIRST_ELEMENT):
 
 def _get_nested_obj(obj, elements, next_element=None):
     for (elem, action) in elements:
+        check_elem(elem)
         if action == GET:
             obj = obj[elem]
         elif action == GETATTR:
@@ -134,11 +135,17 @@ def _guess_type(elements, elem, index, next_element):
     return {}
 
 
+def check_elem(elem):
+    if isinstance(elem, str) and elem.startswith("__") and elem.endswith("__"):
+        raise ValueError("traversing dunder attributes is not allowed")
+
+
 def _get_nested_obj_and_force(obj, elements, next_element=None):
     prev_elem = None
     prev_action = None
     prev_obj = obj
     for index, (elem, action) in enumerate(elements):
+        check_elem(elem)
         _prev_obj = obj
         if action == GET:
             try:

deepdiff/serialization.py

@@ -59,7 +59,7 @@ class UnsupportedFormatErr(TypeError):
 DELTA_IGNORE_ORDER_NEEDS_REPETITION_REPORT = 'report_repetition must be set to True when ignore_order is True to create the delta object.'
 DELTA_ERROR_WHEN_GROUP_BY = 'Delta can not be made when group_by is used since the structure of data is modified from the original form.'
 
-SAFE_TO_IMPORT = {
+SAFE_TO_IMPORT = frozenset({
     'builtins.range',
     'builtins.complex',
     'builtins.set',
@@ -95,7 +95,7 @@ class UnsupportedFormatErr(TypeError):
     'ipaddress.IPv4Address',
     'ipaddress.IPv6Address',
     'collections.abc.KeysView',
-}
+})
 
 
 TYPE_STR_TO_TYPE = {

docs/authors.rst

@@ -117,6 +117,7 @@ and polars support.
   limit when hashing numpy.datetime64
 - `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
   setuptools use to pyproject.toml
+- `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
 
 
 .. _Sep Dehpour (Seperman): http://www.zepworks.com