Add security context with deserialization guard #1
+800
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces a context-aware taint tracking mechanism to protect against arbitrary code execution during pickle deserialization. Core mechanism: - Added `security_ctx` struct to PyContext with deserialization_taint_counter - New internal API to track deserialization state: * _PyContext_IncrementDeserializationTaint() * _PyContext_DecrementDeserializationTaint() * _PyContext_IsDeserializationTainted() - Taint counter is incremented when entering pickle.loads() and decremented on exit (both success and error paths) - Taint state propagates to new contexts created during deserialization Design rationale: Extends PyContext (thread context) as it's the existing mechanism for context variables and is natively supported by higher-level concurrency models like asyncio. Storing the security state in the C struct prevents malicious user code from overriding or bypassing the protection. Protection via audit hooks: - When deserialization is active, blocks dangerous operations including: * System commands (os.system, subprocess.Popen) * Code execution (exec, compile) * File modifications and thread creation * Dynamic loading (ctypes) and network operations
- Updated `test_os_system_allowed_outside_pickle` to use `os.system('true')` for better clarity.
- Improved handling of event loop policies in `test_taint_cleared_on_error` to ensure proper cleanup.
- Removed outdated tests for `exec` and `compile` blocking, as they are no longer blocked.
- Introduced a new `HARDEN_MODE` configuration to control the behavior of deserialization security checks, allowing for warnings or errors based on the mode set via the `PYTHONHARDENMODE` environment variable.
- Fix failing tests
- Introduced a Dockerfile for building a Python environment based on Debian. - Configured essential packages and optimizations for Python installation. - Added a .dockerignore file to exclude unnecessary files and directories from the Docker context, improving build efficiency.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Introduces a context-aware taint tracking mechanism to protect against
arbitrary code execution during pickle deserialization.
Core mechanism
Added
security_ctxstruct to PyContext with deserialization_taint_counterNew internal API to track deserialization state:
Taint counter is incremented when entering pickle.loads() and decremented
on exit (both success and error paths)
Taint state propagates to new contexts created during deserialization
Design rationale
Extends PyContext (thread context) as it's the existing mechanism for context
variables and is natively supported by higher-level concurrency models like
asyncio. Storing the security state in the C struct prevents malicious user
code from overriding or bypassing the protection.
Protection via audit hooks