Restrict pickle class loading for .localstate deserialization#585
Merged
Conversation
ibrhmch
previously approved these changes
May 11, 2026
scheenk
previously approved these changes
May 11, 2026
lazarben
approved these changes
May 11, 2026
shinmc
previously approved these changes
May 11, 2026
nikita-khapre
previously approved these changes
May 11, 2026
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
NaimShaqqou
approved these changes
May 12, 2026
praegt
dismissed stale reviews from github-actions[bot], nikita-khapre, shinmc, scheenk, and ibrhmch
via
a983edd
praegt
force-pushed
the
fix/restrict-pickle-deserialization
branch
from
af34e42 to
a983edd
Compare
lazarben
approved these changes
May 13, 2026
nikita-khapre
approved these changes
May 13, 2026
NaimShaqqou
approved these changes
May 13, 2026
ibrhmch
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the unvalidated
cPickle.loads()call inLocalState.loads()with a_SafeUnpicklerthat uses a strict class allowlist. OnlyLocalState,EnvvarCollector, andsetare permitted during deserialization. Any other class raisesUnpicklingError, which is caught and returns an emptyLocalState.The serialization format remains pickle, so there is no behavioral change for existing
.localstatefiles.Testing
test_loads_rejects_unlisted_classandtest_dumps_loads_roundtrip)tests/unit/containers/andtests/unit/operations/eb local printenvandeb local setenvcommandsRelease
Includes version bump to 3.27.2.