Expand dangerous imports blocklist for better coverage (#215)

* Expand dangerous imports blocklist for better coverage

Add ~40 additional modules to UNSAFE_IMPORTS including:
- Network modules (requests, aiohttp, httplib, etc.)
- FFI modules (ctypes, _ctypes)
- Profiling/debugging (cProfile, profile, pdb, timeit, trace)
- Pickle recursion (pickle, dill, cloudpickle, joblib)
- Filesystem (shutil, tempfile, distutils)
- Import manipulation (importlib, pkgutil, zipimport)
- Torch dangerous (torch.hub, torch._dynamo, torch._inductor, torch.jit)

---------
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Thomas Chauchefoin <thomas.chauchefoin@trailofbits.com>

Author: 3 people

fickling/analysis.py

@@ -240,6 +240,12 @@ class UnsafeImportsML(Analysis):
         "urllib": "This module can use HTTP to leak local data and download malicious files.",
         "urllib2": "This module can use HTTP to leak local data and download malicious files.",
         "torch.hub": "This module can load untrusted files from the web, exposing the system to arbitrary code execution.",
+        "torch._dynamo": "This module can compile and execute arbitrary code through dynamic compilation.",
+        "torch._inductor": "This module can compile and execute arbitrary native code.",
+        "torch.jit": "This module can compile and execute arbitrary code through JIT compilation.",
+        "torch.compile": "This module can compile and execute arbitrary code through dynamic compilation.",
+        "numpy.f2py": "This module can compile and execute arbitrary Fortran/C code.",
+        "numpy.distutils": "This module can execute arbitrary build commands.",
         "dill": "This module can load and execute arbitrary code.",
         "code": "This module can compile and execute arbitrary code.",
         "pty": "This module contains functions that can perform system operations and execute arbitrary code.",
@@ -260,10 +266,6 @@ class UnsafeImportsML(Analysis):
             "So this import is safe only if restrictions on pickle (such as Fickling's hooks) have been set properly",
         },
         "numpy.testing._private.utils": {"runstring": "This function can execute arbitrary code."},
-        "numpy.f2py.crackfortran": {
-            "getlincoef": "This function can execute arbitrary code.",
-            "_eval_length": "This function can execute arbitrary code.",
-        },
         "_io": {"FileIO": "This class can read/write arbitrary files."},
         "io": {"FileIO": "This class can read/write arbitrary files."},
     }

fickling/fickle.py

@@ -40,64 +40,86 @@
 
 UNSAFE_IMPORTS: frozenset[str] = frozenset(
     [
-        # Core builtins and system modules
+        # Builtins - can execute arbitrary code
         "__builtin__",
         "__builtins__",
         "builtins",
+        # System/process execution
         "os",
         "posix",
         "nt",
         "subprocess",
         "sys",
-        "socket",
         "pty",
+        "commands",  # Legacy Python 2 module
+        "multiprocessing",
+        # Code execution/compilation
+        "code",
+        "codeop",
+        "runpy",
         "marshal",
         "types",
-        "runpy",
-        "cProfile",
-        "ctypes",
-        "pydoc",
+        "compile",
+        "exec",
+        "eval",
+        # Import manipulation
         "importlib",
-        "code",
-        "multiprocessing",
-        # File and shell operations
-        "shutil",
-        "distutils",
-        "commands",
+        "pkgutil",
+        "zipimport",
         # Operator module bypasses
         "_operator",
         "operator",
         "functools",
-        # Async subprocess execution
-        "asyncio",
-        # Code execution via profilers/debuggers
+        # Profiling/debugging (can execute code)
+        "cProfile",
         "profile",
-        "trace",
         "pdb",
         "bdb",
         "timeit",
-        "doctest",
-        # Package and environment manipulation
-        "venv",
-        "pip",
-        "ensurepip",
-        # Network and web modules
-        "webbrowser",
-        "aiohttp",
+        "trace",
+        # Network - data exfiltration/download
+        "socket",
+        "ssl",
         "httplib",
         "http",
-        "ssl",
-        "requests",
         "urllib",
         "urllib2",
+        "requests",
+        "aiohttp",
+        "asyncio",  # Can run arbitrary coroutines
+        "webbrowser",  # Can open arbitrary URLs
         "smtplib",
         "imaplib",
         "ftplib",
         "poplib",
         "telnetlib",
         "nntplib",
-        # IDE and dev tools
+        # FFI/native code execution
+        "ctypes",
+        "_ctypes",
+        # Pickle recursion (nested pickle attacks)
+        "pickle",
+        "_pickle",
+        "dill",
+        "cloudpickle",
+        "joblib",
+        # File system operations
+        "shutil",
+        "tempfile",
+        "filecmp",
+        "distutils",
+        # Shell/terminal
+        "pydoc",  # Can run code via pydoc.pager
+        "pexpect",
+        # Virtual environments (can install packages)
+        "venv",
+        "ensurepip",
+        "pip",
+        # Documentation testing (can run code)
+        "doctest",
+        # IDLE modules (code execution)
         "idlelib",
+        # Parser generators (code execution)
         "lib2to3",
     ]
 )