Add security warning for RQ pickle serializer (CWE-502) (#843)

mitchh456 · claude · pre-commit-ci[bot] · web-flow · commit eb7c0e5abdea · 2026-04-06T15:34:48.000-06:00
* Use Job.id property instead of removed get_id() method rq v2.7 refactored Job.id from `id = property(get_id, set_id)` to a `@property` decorator, removing get_id() as a callable method. Job.id has been available since rq v0.5.0 so this is backwards compatible. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Support FastMCP 3.x while maintaining 2.x backwards compatibility FastMCP 3.0 replaced private _call_tool_mcp()/_list_tools_mcp() with public call_tool()/list_tools() methods, and changed get_tool() to return None instead of raising when a tool is not found. - Update instrumentation to handle get_tool() returning None - Update tests with compat helpers that use the correct API based on the installed fastmcp version - Remove the fastmcp<3 version pin from tox.ini (no longer needed) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add security warning when RQ uses default pickle serializer Addresses CVE concern (CWE-502) where RQ's default pickle serializer can enable RCE via Redis. Scout's own code does not use pickle, but this warning helps users identify the risk in their RQ configuration. Closes #842 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/src/scout_apm/rq.py b/src/scout_apm/rq.py
@@ -57,6 +57,21 @@ def ensure_job_instrumented():
     job_instrumented = True
     Job.perform = wrap_perform(Job.perform)
 
+    try:
+        import pickle
+
+        from rq.serializers import DefaultSerializer
+
+        if getattr(DefaultSerializer, "dumps", None) is pickle.dumps:
+            logger.warning(
+                "RQ is using the default pickle serializer, which is vulnerable to "
+                "Remote Code Execution (RCE) via Redis (CWE-502). Consider switching "
+                "to a safer serializer like rq.serializers.JSONSerializer. "
+                "See https://github.com/rq/rq/issues/2389 for details."
+            )
+    except Exception:
+        pass
+
 
 @wrapt.decorator
 def wrap_perform(wrapped, instance, args, kwargs):
