Replace pickle with json

[miguelgrinberg]

It has been reported (credit: Ali Raza, BlueRock) that the use of the pickle package from the Python standard library to encode payloads that are passed between Socket.IO processes over a message queue (in a multi-server and/or external process configuration) can be exploited to create a remote code execution.

For this exploit to be viable, the attacker needs to connect to the message queue directly, and push a malicious payload to it. Given that the message queue is an internal component of the server deployment that is not accessible from the public internet, the only reason for concern would be if the queue is configured to listen publicly by mistake.

To confirm that you have a secure deployment, make sure that:

1. Your message queue is only listening on an internal network interface (i.e localhost) or VPC. Never deploy the message queue for Socket.IO to the public internet.
2. For added protection, configure your production message queue with authentication and encryption. Please consult the documentation of your message queue for instructions. The message queue credentials can then be added to the connection URL passed to python-socketio in the configuration. And of course, avoid committing a URL with credentials to source control.

I have added a section to the documentation on secure deployment of the message queue with the above recommendations.

In addition to the above, and considering that pickle does not provide any benefits over other serialization formats, I have decided to remove the use of pickle completely, so that any possibility of an attack, though unlikely, is eliminated. Version 5.14.0 uses JSON as the only communication format for message queue payloads (in previous versions both JSON and Pickle were supported, but Pickle was used by default).

The only side effect of this change is that a mix deployment that includes servers from before and after this change may fail to communicate, because the older versions will attempt to push Pickle packets to the queue and the newer servers do not understand that format anymore. If all servers are upgraded to 5.14 or newer there shouldn't be any problems.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f61e0be) to head (333349c).

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #1502   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           31        31           
  Lines         2535      2531    -4     
  Branches       432       432           
=========================================
- Hits          2535      2531    -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.