Skip to content

Fix PyTorch v1.3+ hook bypass by hooking pickle.Unpickler class #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thomas-chauchefoin-tob merged 2 commits into from
Nov 27, 2025
Merged

Fix PyTorch v1.3+ hook bypass by hooking pickle.Unpickler class #174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1fc0c1
Fix PyTorch v1.3+ hook bypass by hooking pickle.Unpickler class
dhalf Nov 26, 2025
1c0535a
Fix Ruff linting reports
thomas-chauchefoin-tob Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 40 additions & 1 deletion fickling/hook.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,37 @@

_original_pickle_load = pickle.load
_original_pickle_loads = pickle.loads
_original_pickle_Unpickler = pickle.Unpickler
_original__pickle_Unpickler = _pickle.Unpickler


class FicklingSafetyUnpickler:
"""
Drop-in replacement for pickle.Unpickler that uses fickling's safety analysis.

This class intercepts direct uses of pickle.Unpickler() (e.g., by PyTorch v1.3+)
and routes them through fickling's load() function for security analysis.
"""

def __init__(self, file, *args, **kwargs):
self._file = file
self._args = args
self._kwargs = kwargs

def load(self):
"""Delegate to fickling.load() for security analysis"""
return loader.load(self._file, *self._args, **self._kwargs)


def run_hook():
"""Replace pickle.load() by fickling's load()"""
"""Replace pickle.load() and pickle.Unpickler by fickling's safe versions"""
# Hook the function
pickle.load = loader.load

# Hook the Unpickler class
pickle.Unpickler = FicklingSafetyUnpickler
_pickle.Unpickler = FicklingSafetyUnpickler


def always_check_safety():
"""
Expand All @@ -30,17 +55,31 @@ def new_load(file, *args, **kwargs):
def new_loads(data, *args, **kwargs):
return FicklingMLUnpickler(io.BytesIO(data), also_allow=also_allow, **kwargs).load(*args)

# Hook functions
pickle.load = new_load
_pickle.load = new_load
pickle.loads = new_loads
_pickle.loads = new_loads

# Hook Unpickler class - create a subclass that passes also_allow
class SafeMLUnpickler(FicklingMLUnpickler):
"""Unpickler with pre-configured also_allow list"""

def __init__(self, file, *args, **kwargs):
super().__init__(file, *args, also_allow=also_allow, **kwargs)

pickle.Unpickler = SafeMLUnpickler
_pickle.Unpickler = SafeMLUnpickler


def remove_hook():
"""Restore original pickle functions and classes"""
pickle.load = _original_pickle_load
_pickle.load = _original_pickle_load
pickle.loads = _original_pickle_loads
_pickle.loads = _original_pickle_loads
pickle.Unpickler = _original_pickle_Unpickler
_pickle.Unpickler = _original__pickle_Unpickler


# Alias
Expand Down
1 change: 1 addition & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ ignore = [
"pickle_scanning_benchmark/*.py" = ["BLE", "T20", "N806"]
"example/*.py" = ["T20"]
"test/*.py" = ["T20"]
"fickling/hook.py" = ["N816"]

[tool.ruff.lint.isort]
known-first-party = ["fickling"]
Expand Down
Loading