Merge pull request #187 from trailofbits/fix-GHSA-r7v6-mfhq-g3m2

thomas-chauchefoin-tob · web-flow · commit 2a763ab3c742 · 2025-12-15T17:00:42.000+01:00
diff --git a/fickling/analysis.py b/fickling/analysis.py
@@ -223,6 +223,7 @@ class UnsafeImportsML(Analysis):
         "torch.hub": "This module can load untrusted files from the web, exposing the system to arbitrary code execution.",
         "dill": "This module can load and execute arbitrary code.",
         "code": "This module can compile and execute arbitrary code.",
+        "pty": "This module contains functions that can perform system operations and execute arbitrary code.",
     }
 
     UNSAFE_IMPORTS = {
diff --git a/fickling/fickle.py b/fickling/fickle.py
@@ -875,6 +875,7 @@ def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
                 "sys",
                 "builtins",
                 "socket",
+                "pty",
                 "marshal",
                 "types",
             ):
diff --git a/test/test_bypasses.py b/test/test_bypasses.py
@@ -7,6 +7,45 @@
 
 
 class TestBypasses(TestCase):
+    # https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2
+    def test_missing_pty_unsafe_imports_ghsa(self):
+        pickled = Pickled(
+            [
+                op.Proto.create(4),
+                op.Frame(26),
+                op.ShortBinUnicode("pty"),
+                op.Memoize(),
+                op.ShortBinUnicode("spawn"),
+                op.Memoize(),
+                op.StackGlobal(),
+                op.Memoize(),
+                op.ShortBinUnicode("id"),
+                op.Memoize(),
+                op.TupleOne(),
+                op.Memoize(),
+                op.Reduce(),
+                op.Memoize(),
+                op.ShortBinUnicode("gottem"),
+                op.Memoize(),
+                op.Build(),
+                op.Stop(),
+            ]
+        )
+        self.assertGreater(check_safety(pickled).severity, Severity.LIKELY_SAFE)
+
+    # https://github.com/trailofbits/fickling/pull/108
+    def test_missing_pty_unsafe_imports_pr(self):
+        pickled = Pickled(
+            [
+                op.Mark(),
+                op.Global("pty spawn"),
+                op.String("id"),
+                op.Obj(),
+                op.Stop(),
+            ]
+        )
+        self.assertGreater(check_safety(pickled).severity, Severity.LIKELY_SAFE)
+
     # https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3
     def test_missing_marshal_and_types(self):
         code = compile('import os\nos.system("id")', "<string>", "exec")

Original file line number	Diff line number	Diff line change
`@@ -223,6 +223,7 @@ class UnsafeImportsML(Analysis):`
`223`	`223`	`"torch.hub": "This module can load untrusted files from the web, exposing the system to arbitrary code execution.",`
`224`	`224`	`"dill": "This module can load and execute arbitrary code.",`
`225`	`225`	`"code": "This module can compile and execute arbitrary code.",`
	`226`	`+ "pty": "This module contains functions that can perform system operations and execute arbitrary code.",`
`226`	`227`	`}`
`227`	`228`
`228`	`229`	`UNSAFE_IMPORTS = {`